How  CISOs  secure  their  home  PCs  |  Skype  explained 

PAGE  30  PAGE  57 


6  best  prtcttce  h®*-»0’* 

-rtwcoir.f  BEGINS  0$  PAGE  2fr 


COVERAGE  BEGINS  Oil 


and  growing  influence 


of  lour  progress 


CSO  Survey  shows  signs 


riDEE  WITH  CARE 
you  don't  !•»"’  lo 
b.»ljnce  coRvwt-.i 
■runty  wftt?tonpu» 
uiiiS'lity.V01*  nwy 
r.*l  )pB*wnri«lKt 


KEfR  IT  CLEAN 
Hot.  dies  A’*1' 
f,rta*wf«en  A  ,c 
aw  p'i  a  rlt’it  ’ 


besouroi  roe  seamitt  twcuwK 


buildingthe 
future  CSO 


special  issue 


www.csoonline.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $95.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $70.00! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


O  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


Signature 


CIN05 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


1 1 1 1 1 1 1 1 


I...III. . III.I..I..I...II..II...I.I.I 


It’s  a  big  world  out  there,  and  your  remote  offices  can  be  all  over  it.  But  no  matter 
where  they  are,  you  can  keep  them  secure  with  the  Symantec™  Gateway  Security 
5400  Series  and  Symantec™  Gateway  Security  400  Series  appliances.  Install  the 
5400  Series  in  your  main  office  and  the  400  Series  in  your  smaller  locations  and 
you’ll  have  comprehensive  gateway  protection  wherever  you  need  it.  To  learn  how  to 
protect  your  company’s  critical  information,  go  to  http://ses.symantec.com/appliances 
or  speak  with  your  Symantec  Certified  Partner. 


;  ■ :  W 


'''I 

A  .*>  ■.‘’.•I 


’W.  *  ' 

•  >.  -XV  :  V  , 

'-Jr- .  "• » 

:•<&*  *■■•'•  . 


£-, < 

-•  HI 


fi#r 

■ 

••  •>*- V 


Cy  v-  ■.  U  ,  <:  Ay:  ■  vyy 'Ayyyy  ■  ' 

* .  .f  ‘  •■  ■'■•A-'-.-  r-:  >.'••  .'  v  ; 

'  •  ,4.^^,'  .''--v  1  '  rf^  'J'  ,]  f  '  > 

•j  •  .’  '  .•-  ,.  ■>•  -  ■,i-.  ^  ?;!  :.  s’-  i  1-  J-T-  .--A.  v  -" 


(Before  anyone  else  does.) 


There  are  two  kinds  of  security  threats.  Those  you've  faced  and  those  you  will.  That's  why  CDW  offers  the  latest  security 
solutions  from  top  name  brands.  We  also  have  account  managers  who  can  help  you  find  the  right  solution  for  you.  And  with 
access  to  the  largest  in-stock  inventories,  you'll  get  what  you  need  fast.  So  why  wait?  Peace  of  mind  is  just  a  phone  call  away. 


•V  .1'  ;  :  V 

,v« ’^.w  \  .xK  •. :-♦.** 

kAAi:- W. 


Wireless  card  sold  separately 


sseg98  !^)  Symantec. 


CDW  687935 


Symantec™  Gateway  Security  300  Series 
Appliance  Bundle 

•  Bundle  includes  free  Symantec™  Antivirus  v9.0  business  pack 
for  5  users 

•  Comprehensive  security,  a  reliable  Internet  gateway  and  a  secure 
wireless  LAN  option  in  one  affordable  solution 

•  Includes  a  Stateful  Packet  Inspection  (SPI)  firewall,  secure  IPSec  VPN 
connectivity,  intrusion  detection  and  intrusion  prevention,  content 
filtering  and  policy  enforcement  for  Symantec™  AntiVirus™  clients 

•  Utilize  Symantec's  LiveUpdate™  technology  to  keep  your  appliance's 
software  up-to-date 


■ 

’  jrV»  V 

■  -  -v-  -  ’  ‘  a  .  -■ 


nee  includes  24  x  7  technical  phone  support  and  upgrade  protection;  call  your  CDW  account  manager  for  details.  Customer  understands  that  CDW  is  not  the  manufacturer  of  the  products  purchased  by  customer  hereunder  and  the  only  warranties  offered  are  those  of  the  manufacturer,  not 
>ricing  is  subject  to  change.  CDW  reserves  the  right  to  make  adjustments  to  pricing,  products  and  service  offerings  for  reasons  including,  but  not  limited  to,  changing  market  conditions,  product  discontinuation,  product  unavailability,  manufacturer  price  changes  and  errors  in  advertisements. 


Cisco  StsTEus 


Premier 

Certified 

Partner 


Cisco  Systems 


Premier 

Certified 

Partner 


eTrust  PestPatrol' 
Anti-Spyware 

Corporate  Edition 


Computer  Associates* 


All  orders  are  subject  to  product  availability.  Therefore,  CDW  cannot  guarantee  that  it  will  be  able  to  fulfill  customer's  orders.  The  terms  and  conditions  of  sale  are  limited  to  those  contained  herein  and  on  CDW's  Web  site  at  CDW.com.  Notice  of  objection  to  and  rejection  of  any  additional  or  different 
terms  in  any  form  delivered  by  customer  is  hereby  given.  ®  2005  CDW  Corporation 


Cisco®  281 1  Integrated  Services 
Router  Security  Bundle 


Enhanced  investment  protection  through  increased 
performance  and  modularity 
Offers  wire-speed  performance  for  concurrent  services 
such  as  security  and  voice,  and  advanced  services  to 
multiple  TI/EI/xDSL  WAN  rates 

Allows  you  to  synchronize  routing  and  security  policies 
and  reduce  operational  costs 

Bundle  includes  Cisco*1 2811  Integrated  Services  Router 
and  Advanced  Security  Cisco*  IOS  software 


CDW  707661 


Provides  rich  security  services  including  stateful  inspection 
firewalling,  virtual  private  networking  (VPN)  and  intrusion 
protection  in  a  single  device 

Ensures  that  all  the  users  behind  it  are  safe  and  secure  from 
threats  lurking  on  the  Internet  using  the  Cisco®  Adaptive 
Security  Algorithm  (ASA)  and  PIX®  operating  system 
Enforce  customized  policies  on  network  traffic  traversing 
through  the  firewall 


CDW  508964 


Cisco®  Aironet  1231 


802.1 1  b/g,  54Mbps  wireless  access  point 
Supports  a  variety  of  clients  in  mixed  frequency 
and  mixed  throughput  environments 

Allows  single-  or  dual-radio  configuration  for 
up  to  54Mbps  connectivity  in  both  the  2.4  and 
5GHz  bands 

Fully  compliant  with  the  IEEE  802.11a,  802.11b 
and  802.1 1  g  standards 


CDW  558198 


Computer  Associates®  eTrust 
PestPatrol®  Anti-Spyware 


Delivers  real-time,  continuous  spyware  protection, 
detection  and  removal  from  PCs 

Detects  and  removes  a  wide  range  of  spyware  threats 
Supported  by  the  largest  spyware  research  group  in 
the  industry 

Centralized  management 
1  user  license  with  1-year  Enterprise  Maintenance' 


CDW  716724 


The  Security  Solutions  You  Need  When  You  Need  Them 


The  Right  Technology.  Right  Away. 

CDW.com  •  800.399.4CDW 
In  Canada,  call  800.387.2173  •  CDW.ca 


Cisco  Systems 

unMMiML 

1  Premier 

I  Certified 

1  Partner 

Cover  photo  by  IN  EVERY  ISSUE 

Glenn  Oakley 

4  www.csoonline.com  March  2005 


6  CSOonline.com  10  Letter  from  the  Editor  15  Letters  62  Index 


30  Safe  at  Home 

SECURE  COMPUTING  CISOs  are  always  pushing  computer 
security  policies.  We  asked  three  of  them  to  forget  the  poli¬ 
cies  and  show  us  how  they  handle  security  on  their  own 
home  systems. 

34  cover  story  Inquiring  Minds 

INVESTIGATIONS  To  build  an  effective  investigative  team, 
CSOs  need  to  assemble  the  right  mix  of  specialized  talents. 
Then  they  have  to  cultivate  trusting  relationships  with  other 
organizational  leaders.  By  Daintry  Duffy 

42  Voice  of  Reason 

VOICE  OVER  IP  Much  ink  has  been  spilled  over  the  vulnerabili¬ 
ties  created  by  running  voice  traffic  over  data  networks.  But 
smart  CSOs  are,  in  fact,  going  to  use  voice  over  IP— and  similar 
forthcoming  technologies— to  their  benefit.  By  Fred  Hapgood 

46  Lessons  from  Across  the  Pond 

GLOBAL  SECURITY  Brits  handle  security  differently  than  do 
the  Yanks.  Understanding  why  and  how  can  help  give  both 
sides  new  ideas.  By  Malcolm  Wheatley 


28  Video  Surveillance 

SECURITY  COUNSEL  Architect  John  Kingsley-Hefty,  for¬ 
merly  of  the  Corporate  Security  Services  Department  at 
3M,  answers  readers’  questions  about  video  surveillance. 

52  Doing  the  Right  Thing 

CSO  UNDERCOVER  Recent  government  guidelines  spell 
out  serious  consequences  if  your  company  spots  a  risk 
and  does  nothing.  But  does  that  mean  you  should  go 
looking  for  trouble?  Yes. 

DEPARTMENTS 

17  Briefing 

RFIDs  fight  drug  trafficking;  TSA  seeks  terrorist 
behavior  detectors;  Disaster  preparedness  levels  at 
chemical  plants;  Top  eight  best  practices  for  disaster 
recovery;  Authenticating  a  baseball;  Handwriting 
analysis  made  easy. 

26  Wonk 

Recent  provisions  to  the  Fair  and  Accurate  Credit 
Transactions  Act  of  2003  affect  every  business  that 
uses  credit  reports.  By  Paul  Roberts 

57  Machine  Shop 

Skype  is  a  great  way  to  communicate. 

But  CSOs  should  know  that  it  also 
brings  auditing  and  monitoring 
challenges. 

By  Simson  Garfinkel 
TOOLBOX  Explosives  detection 

64  Debriefing 

CONDENSED  NARRATIVE  How  Lori 
Lee-Savage  got  her  identity  back. 


Welcome  to  iCLASS  from  HID,  where  the  possibilities  are 
endless.  For  access  control,  it  offers  the  security  of  mutual 
authentication.  And  its  contactless  smart  card  capabilities 
open  the  door  to  adding  biometrics,  time  and  attendance, 
vending,  network  access  and  more.  If  you  can  imagine  it, 
iCLASS  can  do  it. 


ACCESS  possibilities 


hidcorp.com 


Research  Center 
Spotlight:  Security 
Executive 

The  roles  and  responsibilities  of 
security  executives  (CSOs,  CISOs, 
VPs  or  directors  of  security)  are  still 
being  defined.  Keep  track  of  trends, 
read  profiles  of  fellow  security 
executives  and  learn  how  to  carve 
your  own  niche. 
www.csoonline.com/sec_exec 

Security  A  to  Z 

Learn  the  lingo  of  the  security 
industry  by  searching  for  terms  in 
our  online  glossary.  We’ve  just 
added  some  new  ones,  and  were 
always  looking  for  suggestions 
from  readers. 
www.csoonline.com/glossary 

Get  Alarmed 

Read  informed  opinions  on  security 
and  privacy  topics  from  CSO's  out¬ 
spoken  experts,  Senior  Editors  Scott 
Berinato  and  Sarah  D.  Scalet.  As 
they  take  turns  probing  the  issues 
that  affect  you  the  most,  they’ll 
make  you  think— and  maybe  even 
smile. 

www.csoonline.com/alarmed 

Something  for  Nothing 

CSO  newsletters  are  delivered  right 
to  your  inbox  for  free.  Sign  up  for 
newsletters  on  CSO  careers,  leader¬ 
ship  and  technology,  or  just  to  stay 
in  tune  with  the  most  recent 
updates  to  CSOonline.com.  What 
are  you  waiting  for?  Sign  up  now. 
www.csoonline.com/newsletters 


Has  your  company  taken 
any  precautions  against 
domain  name  theft? 


60% 

No 


40% 

Yes 


BASED  ON  210  RESPONSES  JAN.  18-25,  2005. 
CSO  SECURITY  CHECK  IS  AN  OPEN  WEEKLY  POLL  ON 
WWW.CSOONLINE.COM. 


‘m 


m 


fhat  Security 
sAcr< 


In  “Lessons  From  Across  the  Pond,” 
(Page  46)  contributor  Malcolm  Wheat- 
ley  details  the  key  differences— and 
there  are  many— in  security  policies  and 
practices  of  the  United  States  versus 
the  United  Kingdom.  Read  CSO's  spe¬ 
cial  issue,  "The  Global  CSO,"  in  our 
online  archives  for  more  detailed  arti¬ 
cles  about  managing  the  security  chal¬ 
lenges  presented  by  global  business. 

Go  to  www.csoonline.com/printlinks. 


i  t 


We’re  already  processing 
requests  from  business  unit 
managers  to  eliminate 
Internet  access.” 


-KEITH  RABUN,  MANAGER,  ENTERPRISE  SYSTEMS  AND  ENGINEERING  SERVICES,  AUSTIN  ENERGY,  FROM  “IS  IT  TIME  TO 
CURB  YOUR  NET  ENTHUSIASM?"  WWW.CS00NLINE.COM/TALKBACK/011805.HTML 


www.csoonline.com  March  2005 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 


EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Editor  Derek  Slater 
Managing  Editor  Michael  Goldberg 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors 

Scott  Berinato,  Todd  Datz,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Departments  Editor  Kathleen  S.  Carr 
Contributors 

Stacy  Collett,  Daintry  Duffy,  Fred  Hapgood, 
Susannah  Patton,  Paul  Roberts,  Malcolm  Wheatley 

COPY  TEAM 

Copy  Chief  Emily  S.  Henderson 
Senior  Copy  Editor  Diann  Daniel 
Copy  Editor  Cathy  Mallen 
Assoc.  Copy  Editor  Daniel  John  Robinson 
Editorial  Assistants 
Margaret  Locher,  Al  Sacco 

RESEARCH  &  PROJECTS 

Research  Editor  Lorraine  Cosgrove  Ware 
Editorial  Resource  Manager  Carol  Zarrow 
Associate  Research  Analyst  Julie  Hanson 
Special  Projects  Manager  Lynne  Z.  Rigolini 


DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 


ONLINE 

E-Commerce  Manager  Andrew  Burrell 
Online  Producers  Todd  Borglund, 
Shannon  Macdonald,  Jen  McCarthy 
Online  Production  Specialist  Rupal  Patel 

INFORMATION  SYSTEMS 

Director  of  Information  Technology  Dagmar  Eiben 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 
Senior  User  Services  Specialist  Michael  Fahlsing 
Senior  IT  Specialist  Jonathan  Frappier 
Systems  Administrator  Robert  Reagan 

Senior  Web  Developers 
Sean  McCracken,  Ellen  Morey 
Associate  Web  Developer  Anthony  Servideo 

CHIEF  SECURITY  OFFICER  CXO  MEDIA  INC./IDG 

Robert  Hayes 


INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


*BPA 


«  0  I  l  I  «  I  0  E' 


©  CXO  Media  Inc. 


cott  hates  us. 


And  our  customers  couldn’t  be  happier.  Scott’s  a  hacker  and  it’s  our  job  to  make 
his  job  impossible.  We’re  Sophos,  a  global  leader  in  network  security. 


Over  97,000  viruses  want  inside  your  network.  The  number  is  growing— and  so 
is  the  severity  of  attacks.  Sophos  knows  how  to  stop  them.  Join  the  25  million 
business  users  in  150  countries  who  already  depend  on  our  proven  anti-virus, 
anti-spam  and  email  policy  enforcement  solutions  and  acclaimed  customer  support 
to  protect  against  multiple  evolving  threats. 

FREE  expert  resources  and  the  chance  to  WIN  a  Dell™  Pocket  DJ  at 
stopthethreat.com.  Learn  how  a  proven  multi-tier  network  security  solution 
addresses  your  network's  protection,  performance,  productivity  and  policy 
enforcement  challenges.  Download  free  white  papers,  analyst  reports  and  webcasts 
from  independent  expert  sources  at  stopthethreat.com.  While  you’re  there,  enter 
for  your  chance  to  win  one  of  two  Dell  Pocket  DJs  ($199  value  each). 


SOPHOS 

anti-virus,  anti-spam  and 
email  policy  for  business 


Free  downloads  and  the  chance  to  win  at  stopthethreat.com  ENTER  PIN:  y3kOqga 


vj: 


Can  you  see  it? 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  The  IBM 

TotalStorage®  Open  Software  Family.  It  automatically 
helps  manage  and  optimize  highly  complex  storage 
environments.  By  centralizing  information.  By  fully  utilizing 
resources.  By  simplifying  data  compliance.  Help  slash 
long-term  storage  costs.  On  demand.  Comprehensive, 
reliable  storage  management  solutions  from  IBM. 


DEMAND  BUSINESS 


IBM.  the  IBM  logo,  the  On  Demand  logo.  andTotalStorai 
States  and/or  other  countries.  2005  IBM  Corporation^ 

^40 


irks  or  trademarks  of  International  Business  Machine 


poration  in 


[SSf 

9p 

gjh 

CO 

1 

iiiimiiH*!* 


m wwyn""l<i 


JKfcjS 

■sshr 

f* 

»”  .■  ■  .  2SJ2 

■*•;-  .  **  «■*<*♦ 
„«  .*.«  w»*  •*•  t* 

,  ..  .,.4  •  W  »*  « 

tff  .jSftSg  g** 
SMj  Hi? :  E-f 

W»  .*>'•  v»^'  £ 

if  *T3;  5:S 

l/  Si!’ 5  ST! 

ij  ?E1! 

r*w*  -»*  .  *"► 

(>«>*»'  r*t*M  .  .  2 

wen  *?►'  S 

r&.'ssr  ■■• 

SiS’-TSS  5 

jk  .  ; 

■ 

ti 

•  i 

tiM 

When  Technology  Fails 

The  now-famous  $170  million  rat  hole  known  as  the  FBI’s 
Virtual  Case  File  system  managed  to  galvanize  plenty  of 
outrage  among  those  attuned  to  public-sector  ineptitude. 


This  kind  of  debacle,  the  critics  snorted,  is  just  what  we’ve  come  to  expect 
from  government  technology  projects.  (Remember  the  repeated  crashings  and 
burnings  of  ambitious  IRS  system  upgrades  before  that  agency  finally  seemed 
to  get  it  right?)  The  ultimate  snort,  of  course,  centers  on  the  question  of  how 
the  various  intelligence  agencies  can  ever  hope  to  connect  dots  dispersed 
among  their  respective  silos  if  a  single  key  player  like  the  FBI  can’t  even 
connect  the  intrasilo  dots  to  enable  sharing  among  its  own  agents. 

Setting  aside  for  a  moment  the  worthiness  of  that  last  question,  the  sorry 
truth  is  that  technology  projects  fail  in  high  percentages  everywhere,  regardless 
of  whether  they  have  public-  or  private-sector  roots. 

That  failure  rate  has  been  tracked  for  years  by  The  Standish  Group,  a 
research  firm  based  in  West  Yarmouth,  Mass.  And  it’s  not  a  pretty  picture. 
Numbers  from  2003  suggest  that  only  34  percent  of  the  projects  evaluated  in 
Standish’s  research  succeeded— and  that  represents  a  vast  improvement  over 
the  group’s  first  survey,  nine  years  earlier,  when  only  16  percent  succeeded  in 
meeting  their  goals.  Of  the  projects  tracked  in  the  2003  report,  15  percent  were 
flat-out  failures,  but  a  disturbing  majority  (51  percent)  fell  into  a  category  that 
Standish  calls  “challenged,”  meaning  that  they  were  over  budget,  took  longer 
than  promised  and  lacked  some  critical  capabilities.  That  means  that  two- 
thirds  of  all  projects  fall  short,  to  varying  degrees,  of  fully  satisfying  their 
requirements. 

Projects  tank  for  many  reasons,  but  in  a  short  article  on  the  Softwaremag.com 
website  posted  early  last  year,  Standish  Group  Chairman  Jim  Johnson  attrib¬ 
uted  most  failures  to  faulty  project  management.  And  the  bigger  the  project, 
the  harder  it  falls.  Virtual  Case  File  is  a  cruiser-class  system. 

My  colleague  Allan  Holmes,  Washington  bureau  chief  for  our  sister  publica¬ 
tion,  CIO,  has  followed  government  technology  projects  for  many  years.  And  he 


notes  that  there  are  certainly  some  factors  peculiar  to 
federal  bureaucracy  that  make  matters  more  chal¬ 
lenging,  including  the  frequent  turnover  of  political 
appointees  (and  their  clashes  with  career  employees); 
the  byzantine  procurement  policies  that  enforce  a  gla¬ 
cial  decision-making  pace  (and  limit  the  universe  of 
vendors  willing  to  bid  on  work);  and  the  fabled  inflexi¬ 
bility  of  civil  service  workforces.  Private-sector  compa¬ 
nies  have  their  own  set  of  political,  cultural,  managerial 
and  vision  impairments  that  can  comparably  affect  the 
chances  for  project  success.  Consequently,  Allan 
believes,  the  government  is  no  more  inept  than  the 
private  sector  when  it  comes  to  deploying  IT  systems.  It 
just  feels  that  way.  “The  government  is  more  account¬ 
able.  Every  failure  ends  up  in  the  public  record,”  he 
points  out. 

So,  for  IT  projects,  success,  at  34  percent,  is  slightly 
better  than  new  Baseball  Hall  of  Famer  Wade  Boggs’s 
lifetime  batting  average  (.328).  In  baseball,  .340  would 
be  sensational,  but  in  business,  not  so  hot.  And  yet 
that’s  pretty  much  the  norm. 

And  this  is  a  good  thing  to  keep  in  mind  when  we 
start  pinning  our  hopes  for  the  early  detection  of 
planned  terrorist  acts  on  vast  information-sharing 
systems.  If  the  FBI  can’t  get  it  right  within  its  own 
puzzle  palace,  what  is  the  likelihood  of  an  IT-powered 
success  that  cuts  across  all  of  the  puzzle  palaces,  both 
here  and  abroad?  -Lew  McCreary 

viccreary@cxo.com 


10  www.csoonline.com  March  2005 


PHOTO  BY  WEBB  CHAPPELL 


Worrying  about  viruses  and  unwanted  content  can  hold  you  back.  That’s  why 
thousands  of  companies  across  the  globe  -  from  Fortune  100  organizations  to 
small  businesses  -  rely  on  Sybari  to  secure  their  information  workplaces, 
including  e-mail,  instant  messaging,  and  document  sharing. 

Our  unique  solutions  use  multiple  virus  scanning  engines  and  industry-leading 
antispam  and  content-filtering  technologies  to  stop  threats  before  they  stop 
your  business.  Make  the  move  to  Sybari...  and  experience  the  freedom  of 
security  and  productivity. 


SECURING  THE  INFORMATION  WORKPLACE 


To  learn  more, 

visit  www.sybari.com/cso05 


PREEMPTIVE  SECURITY  IS  HERE 


v'^r.  -,v  ■  v;v  • 

-  . 

;  . 


,v  -V, 

1  :■■  ?* yAyw-Z^; 

^  ■  ■  «?.  V 


YOU  CAN 


BETWEEN  INTERNET  SECURITY  PLATFORMS: 

■ 


(A)  We  protect  you  from  the  threat  here 


(B)  The  other  guys  react  to  the  threat  here 


:? '  .  it  yi  ■ 

■■  -! '  .  .  . 

’  :  •,  -  , 


,:rr. 


ss  losses  are  measured  in  seconds,  preemption  beats  “reaction”  every  time. 


e  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia®  Enterprise  Security 
Platform  from  Internet  Security  Systems.  When  software  security  flaws  are  discovered,  Internet  Security  Systems’  world-renowned 
research  team  updates  Proventia  to  immediately  shield  against  any  attacks  targeting  weak  spots.  Regardless  of  the  size 
of  your  i  siness,  this  new  standard  in  Internet  security  can  help  keep  you  off  the  path  to  disaster  and  reduce  your  total  cost  of 
ownersht  -  In  fact,  when  we  manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper, 
Preempted  Protection:  Setting  a  New  Standard  in  Security,  at  www.iss.net/proof/CSO  or  call  800-776-2362. 


NETWORK  i  HOST  INTRUSION  PREVENTION  I  VULNERABILITY  MANAGEMENT  I  MANAGED  SECURITY  SERVICES 


www.iss.net 


in. 


JR§ 

P' 


saction  Reports 


fmin. 


&D/min, 


■6/ min. 


1)0/min. 


?50/min. 


kOO/min. 


)/min. 


-  ■ 


I.  Within  a  n^"{™^$620,000 per  hour  . 

fiXS&S"  ** . . 

m  «0»U»  =P'"1Se  “  ' 


f  Internet  Security  Systems* 

Ahead  of  the  threat. 


" CIO  magazine  bested  a  record  1,282  other 
entries  to  win  the  2004  Grand  Neal  Award." 

American  Business  Media  Neal  Awards 


'Cutting  edge."  (Computerworld) 

American  Society  of  Business  Publication  Editors 


'Network  World  won  an  amazing  seven  of  the 
inaugural  Tabbie  Awards,  more  than  any  other 
magazine  worldwide." 

Trade,  Association  and  Business  Publications  International 


"An  outstanding  marriage  of  practical 
information  and  thrilling  narrative."  (C/Cty 

American  Business  Media  Neal  Awards 


'Computerworld  and  CSO  named 
2004  Magazines  of  the  Year." 

American  Society  of  Business  Publication  Editors 


'Best  Website."  (PCWorld.com) 

American  Business  Media  Neal  Awards 


Apparently,  not  all  the  most  compelling 

quotes  are  in  our  articles. 


‘PC  World  is  one  of  the  top  10 
magazines  of  the  year." 

American  Society  of  Business  Publication  Editors 


IDG's  performance  this  year  is  without  a  doubt  a 
singular  accomplishment  by  any  media  company." 

Robert  Freedman,  President, 

American  Society  of  Business  Publication  Editors 


I — In  2004,  IDG  publications  have  been  honored  with  over  165  awards  for 
JL  J — y  excellence  by  some  of  the  country's  most  respected  editors 

and  professional  organizations. That's  more  than  our  major  competitors  combined. 

Which  comes  as  no  surprise  to  the  over  10  million  business  and  IT  influencers  who 
read  an  IDG  publication  every  month.*  For  details,  visit  www.idg.com. 

*MB  Intelliquest  CIMS  vIO.O,  2003. Total  reach  by  the  IDG  publications  covered  in  the  study.  Note:  Statistic  of  over  10  million  readers 
does  not  include  CSO,  CMO  and  Bio-IT  World. 


*dO*S  ClwUUuta  frt. 

m 

i 

memtAiK  y 

r'P»  '■*  IftMLftUTlirt  Ml*  Ml.  MINI  1 

‘""'icw.  'Wiw  mkn  cm  ii  incur  rot  vou* 


THE  COMPLETE  PC  I 

IPROBLEMjJII 

SOLViivfl 


BiolT  World 


Is  There  Such  a 


Why  the 
Decline  of 
the  Influence  I 
Industry  Is 


itworkWorld 


*  Switches  t 
~  new  secur 


COMPUTERWORLD 


MmtnrtHklsKix'k  ] 
KkP  Landscape 


m  ma 

I —  300 


csoletters@cxo.com 


They  Came  Out  Firing 

Were  still  collecting  colorful  com¬ 
mentary  about  a  Briefing  in  our 
January  issue,  “Employers  Fight 
Oklahoma  Gun  Law.”  We  welcome 
the  varied  feedback. 

YOUR  ARTICLE  IS  SOMEWHAT  MISLEADING. 

These  gun  owners  are  licensed  to  cany 
weapons  by  the  state  of  Oklahoma  and 
have  had  their  backgrounds  checked  by 
their  state  police  and  approved  by  the  FBI. 

ConocoPhillips  and  Williams  Co.  are  two 
of  the  very  few  companies  in  Oklahoma 
that  have  nice,  large,  well-lit,  campus-style 
locations.  But  90  percent  of  the  citizens  of 
any  state  work  in  small  companies  with  no 
security,  park  on  city  side  streets  or  under 
lit  parking  lots,  take  city-based  mass  transit 
and  so  on— all  locations  where  crime  is 
more  likely  to  happen  after  dark. 

THOMAS  HERLIHY 

Scaletta  Moloney  Armoring 

CORPORATE  AMERICA  HAS  JOINED  IN 

the  antigun  hysteria  with  the  media,  inter¬ 
ests  groups  and  many  politicians. 

Employees  bringing  guns  to  work  and 
leaving  them  in  their  vehicles  has  nothing 
to  do  with  the  potential  for  workplace 
violence.  These  employees  want  to  protect 
themselves  on  their  way  to  and  from  work. 
They  have  already  been  granted  permits  by 
their  states. 

The  primary  source  of  workplace  vio¬ 
lence  is  from  employees  who  feel  that  their 

Corrections:  The  following  corrections  apply  to 
the  article,  ‘‘One  Day  to  a  Better  You,”  published 
in  December  2004.  The  Presidio  is  south  of  the 
Golden  Gate  Bridge,  Anders  Noyes’s  eyes  are 
blue,  and  Noyes  will  have  60  direct  and  indirect 
reports.  The  article  "Where  the  Metrics  Are”  in  the 
February  issue  of  CSO  misstated  the  nature  of 
security  audits  at  Georgia  Power.  The  company's 
security  team  makes  planned,  announced  security 
audits— not  unannounced  audits.  These  audits  are 
part  of  the  company’s  readiness  review  process, 
and  not  part  of  penetration  testing  (which  occurs 
unannounced).  We  regret  the  errors. 


real  or  imagined  grievances  have  not  been 
handled  properly  by  their  employers. 

In  Security  101,  we  learned  about  the 
terms  “prevention,”  “detection,”  “analysis” 
and  “response.”  In  corporate  America,  we 
have  given  up  on  any  meaningful  response 
to  a  violent  attack,  delegating  it  to  local  law 
enforcement.  Our  employees  should  at 
least  be  permitted  to  travel  safely  to  work. 

LLOYD  F.  REESE 

Information  Security  Specialist, 

U.S.  Government 


Certified 
Protection 
Professional 

Board  Certified  in  Security  management 


smsmim 

wrn, 


THIS  CERTIFICATION 
SAYS  IT  ALL 


When  you're  "board  certified 
in  security  management," 
you're  accorded  the  highest 
recognition  in  the  world  as  a 
security  professional.  These 
three  letters — CPP — tell  people 
that  you  have  demonstrated 
competency,  professional 
expertise,  validated  knowledge, 
and  proven  skills,  which  translate 
into  a  real  competitive  advantage 
in  the  increasingly  complex  and 
demanding  business  of  security. 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125  fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more), 
contact  Keith  Williams  at  PARS  International  at 
212  221-9595  x319  or  e-mail  keith@parsintt.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by 
the  Computerworld,  Infoworld,  Macworld.  Network 
World,  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technol¬ 
ogy-specific  sites  around  the  world  through 
IDG.net  ( www.idg.net ),  a  gateway  to  IDG’s  330 
websites  powered  by  more  than  2,000  journalists 
reporting  from  every  continent  in  the  world.  IDG 
also  produces  168  technology-related  conferences 
and  events,  and  research  company  IDC  provides 
global  market  intelligence,  analysis  and  forecasts 
in  43  countries. 


HERE’S  WHAT  MAKES  THE  CPP 
THE  BEST  IN  THE  INDUSTRY 

•  Board  certification:  the 
highest  recognition  in  the 
world  accorded  to  security 
management  professionals. 

•  Certified  Protection  Professional 
(CPP)  is  an  established  program, 
consistently  updated  to  make 
sure  it  is  current. 

•  The  average  CPP  employee 
earns  16%  more  than  his  non- 
certified  security  management 
counterpart. 


Call  703-519-6200  today  for 
an  application,  or  visit 


www.asisonline.org. 


Advancing  Security  Worldwide 

.^CELEBRATING  50  YEARS 


'A 


March  2005  www.csoonline.com  15 


Accounting:  fraud/ 
loss  prevention 


. . — 

HR:  privacy 
IT:  business  continuity 


Facilities:  workplace/ 
employee  safety 

Network  Admin.:  intellectual  property  protection 


Marketing:  brand  protection 
Legal:  regulatory  compliance 


CSO  is  the  preferred  resource  catering  to  the 

expanding  information  needs  of  today’s  strategic  security 
executives.  CSO  provides  CSOs  with  the  resources  they 
need  to  make  their  companies  secure  and  competitive  in 
today’s  ever  changing  business  environment. 


CSO 

The  Resource  for 
Security  Executives 


What  Keeps  the  CSO  Up  At  Night? 


Connecting  security  solutions  to  business  realities  is  central  to  the  CSO  role.  They 
must  understand  what  risk  means  to  their  company  and  how  to  balance  that  risk  with 
business  opportunity  After  all  the  CSO  is  responsible  for  all  aspects  for  the  company’s 
security  but  is  also  a  business  executive  with  an  eye  on  the  bottom  line. 


CEO:  wants  the  company’s  employees,  assets  and  information 
protected  without  compromising  the  ability  and  agility  to  capitalize 
on  business  opportunities 


CSO:  connecting  all  aspects  of  physical  and  information  security 
with  business  realities,  partnering  with  executive  peers  and 
communicating  risks  and  solutions  throughout  the  company 


mm 


operations  can  continue  uninterrupted.  To  support  diagnosticians' 
imaging  requirements,  the  organization  makes  extensive  use  of 
Picture  Archive  Communication  System  (PACS)  imaging,  which  often 
uses  files  that  are  a  gigabyte  or  larger.  The  network  must  be  robust 
enough  to  handle  those  files  in  large  numbers  as  teleradiologists 
move  them,  via  a  VPN,  to  and  from  the  archive  system. 

All  of  Aurora's  Internet  traffic  is  forced  through  a  single  pipe.  "It  is 
easier  to  secure  that  one  choke  point,"  explains  Dan  Lukas,  Aurora's 
security  analyst  and  a  key  member  of  the  risk-management  team. 
However,  he  adds,  like  most  organizations,  Aurora  is  finding  that  "most 
security  threats  are  internal,  whether  it  is  disgruntled  employees  or 
members  of  the  IT  staff  who  know  all  the  naming  conventions." 

Ensuring  that  such  security  concerns  are  adequately  addressed  is 
central  to  meeting  the  requirements  of  the  Health  Insurance  Portability 
and  Accountability  Act  of  1 996.  Better  known  as  HIPAA,  the  law  sets 
strict  new  standards  for  health-care  record-keeping  and  privacy  protec¬ 
tion.  Key  portions  of  HIPAA  take  effect  on  April  21 , 2005. 

Aurora's  plan  for  sustaining  a  HIPAA-compliant  environment  is  imple¬ 
menting  and  maintaining  security  best  practices.  But  Aurora  CSO  Fred 
Mikolajewski  notes  that  the  organization  has  always  had  a  strong  commit¬ 
ment  to  protecting  confidential  information.  "Patients  and  our  partners  in 


ADVERTISING  SUPPLEMENT 


Security  is  easy  to  talk  about. 
Plans  are  a  dime  a  dozen. 
Implementations  are  where 
talk  must  turn  into  action. 


Intellitactics;’1' 

CSO 

Custom  Publishing 


Aurora  Health  Care,  a  fast-growing  not-for-profit 

organization  based  in  Milwaukee,  was  founded  in  1984  to  provide  health¬ 
care  consumers  with  better  access,  better  service  and  better  results  than 
they  can  find  elsewhere.  Indeed,  Aurora  has  been  nationally  recognized 
for  its  efforts  to  improve  health-care  quality  through  its  14  hospitals,  more 
than  1 00  clinics  and  1 40  community  pharmacies  in  Wisconsin. 

As  Aurora  has  grown,  its  IT  operations  have  mushroomed  as  well. 
Today,  the  organization's  information  infrastructure  is  a  complex  web 
of  Novell®  networks  and  servers,  hundreds  of  Microsoft®  application 
servers,  a  Citrix®  farm,  some  AIX®,  Solaris™  and  Linux®  OS  and  a 
large  Lotus  Notes®  implementation.  Its  customers  are  diverse  and 
largely  non-technical  health-care  professionals  who  depend  on  this 
infrastructure's  availability  and  confidentiality. 

Aurora's  data  center  in  Milwaukee  houses  the  company  mainframe 
and  a  number  of  Alpha-based  servers.  The  data  center  has  dual  con¬ 
nections  to  each  hub  to  ensure  that  even  when  a  connection  is  lost. 


ADVERTISING  SUPPLEMENT 


INTELLITACTICS  NSM™  AT  A  GLANCE 

Intellitactics™  protects  critical  information  assets  to  balance  appropri¬ 
ate  risk  with  business  effectiveness.  Intellitactics  simplifies  the  task  of 
managing  a  highly  distributed  and  complex  security  landscape. 
Intellitactics  consolidates  and  analyzes  data  from  any  number  of  secu¬ 
rity  devices,  operating  systems  and  applications,  providing  real-time 
threat  detection  and  historical  analysis  for  compliance  reporting,  trend 
analysis  or  forensics. 

As  a  result,  Intellitactics  provides  security  operations  with  unprece¬ 
dented  control  for  detecting  and  mitigating  the  impact  of  threats  on 
their  information  assets.  It  also  helps  compliance  officers  and  risk  man¬ 
agers  sustain  compliance  environments  that  provide  immediate  access 
to  reports  verifying  and  validating  that  controls  are  working. 


providing  health-care  must  trust  us  to 
carefully  protect  and  provide  access  to 
the  right  information  only  when  neces¬ 
sary  and  when  allowed  by  law,"  he  says. 

Lukas  notes  that  Aurora  employ¬ 
ees  can  be  terminated  for  failing  to 
maintain  proper  privacy  practices. 
Says  Lukas:  "We  have  been  pushing 
security  best  practices  proactively 
for  years,  because  if  you  try  to 
reengineer  after  the  fact,  you  always 
end  up  spending  more — more  time 
and  more  money." 

"Aurora's  risk-management  strate¬ 
gy  requires  prioritization  of  applica¬ 
tions  that  pose  the  greatest  threat  to 
protecting  the  confidentiality  of 
patient  information,"  Lukas  says.  His 
staffers  and  their  financial  counterparts 
now  require  internal  customers  to 
complete  a  form  assessing  potential 
risk  before  the  organization  will  reim¬ 
burse  them  for  software  purchases. 

The  plan  also  emphasizes  educa¬ 
tion.  Aurora  requires  all  employees  to 
answer  an  intranet-based  question¬ 
naire  on  network  security  to  ensure 
that  they  understand  risks  and  best 
practices.  "Creating  awareness,  edu¬ 
cating  on  the  consequences  and 
doing  it  often  ensures  that  these 
practices  will  sink  in,"  Lukas  says. 

Lukas  plays  an  active  role  in  writing 
and  implementing  the  organization's 
HIPAA-related  security  policies.  The 
effort  involves  four  working  groups: 
Three  focus  on  risk  assessment,  login 


monitoring  and  security  threats;  the 
fourth  is  a  security-incident  response 
team  (SIRT). 

Each  group's  work  is  equally  impor¬ 
tant,  Lukas  emphasizes.  For  instance, 
the  risk-assessment  group  is  trying  to 
determine  the  relative  risks  involved 


with  each  of  about  1 ,000  distinct  appli¬ 
cations  in  use  at  Aurora.  "Probably 
about  450  of  those  apps  contain  pro¬ 
tected  health  information  (PHI) — which 
HIPAA  defines  as  any  personally  identi¬ 
fiable  information  held  or  transmitted 
in  any  medium,"  Lukas  explains.  What's 
more,  some  applications  serve  thou¬ 
sands  of  users  at  a  time,  a  factor  that 
he  calls  "one  of  the  most  difficult 
things  to  assess  and  manage  from  a 
security  standpoint." 

For  Lukas,  the  key  to  validating 
and  verifying  that  controls  are  work¬ 
ing  is  Intellitactics  NSM™,  which 
provides  crucial  event-correlation 
capability.  "Other  tools  we  have 
pump  data  into  Intellitactics  so  that 
we  can  see  it  all  in  one  spot,"  he 
says.  "Otherwise,  it  would  require  10 
people  to  monitor  this  stuff." 


Using  Intellitactics,  Aurora  consoli¬ 
dates  security-related  data  from  fire¬ 
walls  and  hardware  such  as  switches 
and  routers,  as  well  as  output  from 
monitoring  tools  such  as  BMC 
Software  Inc.'s  Patrol®  and  Aprisma 
Management  Technologies  Inc.'s 
Spectrum®.  The  solution's  effective 
correlation  capabilities  provide  a 
wide-ranging  view  of  the  whole 
enterprise,  pinpointing  potential 
problems  as  they  emerge. 

"Identifying  a  vulnerability  and 
applying  the  appropriate  controls  is  an 
ongoing  process,"  says  Mikolajewski, 
Aurora's  CSO.  "Intellitactics  gives  us 
the  ability  to  validate  that  our  controls 
are  effective." 

Lukas  agrees.  "It  brings  together  all 
of  these  other  tools  and  lets  us  set  up 
ways  to  monitor  and  recognize  traffic 
anomalies,  and  it  is  very  adaptable  to 
our  requirements,"  he  says.  For 


instance,  Intellitactics  can  be  set  to 
look  for  addresses  that  are  transmitting 
certain  numbers  of  packets  or  files  of  a 
particular  size,  or  it  can  set  up  watch 
lists  for  specific  senders  or  file  types. 

"When  you  have  the  ability  to  do 
it  right  the  first  time,  it  saves  time  and 
money,"  Lukas  says.  "But  it's  never 
too  late  to  create  policies  and  imple¬ 
ment  best  practices  using  technology 
to  protect  information  and  sustain 
compliance."  # 


For  more  information,  please  visit 
www.intellitactics.com.  To  learn 
more  about  building  a  sustainable 
compliance-management  infrastruc¬ 
ture,  register  for  our  March  1 0  Web 
seminar  featuring  Aurora  Health  Care 
security  analyst  Dan  Lukas. 


^Identifying  a  vulnerability  and  applying 
the  appropriate  controls  is  an  ongoing 
process.  Intellitactics  gives  us  the  ability 
to  validate  that  our  controls  are 

effective.  — Fred  Mikolajewski,  CSO,  Aurora  Health  Care 


DRUG  TRAFFICKING 

RFIDs  The  makers  of  prescription  drugs 
have  found  a  new  weapon  to  fight  counter¬ 
feiters:  radio  frequency  identification  (RFID). 
Purdue  Pharma,  the  manufacturer  of  Oxy- 
Contin  is  now  using  RFID  tags  to  track  ship¬ 
ments  of  its  theft-prone  drug.  Pfizer  says  it, 
too,  will  start  putting  the  tags  on  bottles  of 
widely  counterfeited  Viagra  by  the  end  of  this 
year.  The  U.S.  Food  and  Drug  Administration 
gave  the  RFID  plan  a  boost  when  it  recently 
published  guidelines  to  help  other  drugmak- 
ers  get  started  before  RFID  labels  become 
mandatory  in  2007. 

“With  RFID,  the  drug  industry  will  be  able 
to  police  itself  for  the  first  time,”  says  Aaron 
Graham,  vice  president  and  CSO  at  Purdue 
Pharma.  The  World  Health  Organization  says 
approximately  7  percent  to  8  percent  of  the 
world’s  drugs  are  counterfeit.  RFIDs  will  make 
it  virtually  impossible  for  counterfeit  drugs 
to  enter  the  supply  chain.  Pharmacists  using 
handheld  readers  will  be  able  to  quickly  check 
whether  bottles  have  been  reported  stolen. 

RFIDs  still  don’t  come  cheap.  Purdue 
Pharma  plans  to  invest  $2  million  in  infra¬ 
structure  and  30  cents  to  50  cents  for  each 
RFID  label.  The  company  will  also  donate 
handheld  scanners  to  police  officers  and  to 
each  FBI  field  office.  -Susannah  Patton 


Good  Sweat,  Bad  Sweat 

TSA  seeks  behavior  detectors  to  weed  out  terrorists 


TECHNOLOGY  Can  a  computer  tell  t 
difference  between  a  perspiring,  would- 
be  suicide  bomber  and  a  perspiring, 
determined  passenger  about  to  miss  his 
flight?  That’s  what  the  Transportation 
Security  Administration  (TSA)  wants  to 
know. 

Last  year,  TSA  posted  a  request  for 
information  (RFI)  for  technology  that 
“can  remotely  detect  patterns  in  a  passei 
ger’s  physiological  responses  or  overt 
behaviors”— such  as  darting  eyes  or 
sweating  temples— that  are  associated 
with  malicious  intent.  TSA’s  trans¬ 
portation  security  lab  is  reviewing  the 
submissions. 

Surveillance  equipment  makers  say 
technology  that  discerns  physiological 
responses— such  as  good  sweat  from 
bad  sweat— is  in  the  embryonic  stage  | 
of  development.  But  a  combination 
of  current  technologies  comes  very  close  to 
achieving  the  same  results.  Biometric  devices, 
such  as  fingerprint  scanners,  can  analyze  skin 
resistance  tightness,  moisture  level  and  pulse 
rate.  Layered  voice  analysis  (LVA)  senses  agi¬ 
tation.  Infrared  technology  can  measure  body 
temperature,  and  video  surveillance  can  detect 
odd  movements. 

Two  companies,  security  provider  Radian 
and  LVA  technology  provider  V  LLC,  have 
submitted  a  joint  response  to  the  TSA’s  RFI. 
They  are  developing  a  security  kiosk  that  com¬ 


bines  all  of  these  detectors  to  screen  passen¬ 
gers  without  a  pat  down. 

Voice  analysis  technologies,  such  as  LVA, 
accurately  identify  suspicious  behavior  83  per¬ 
cent  of  the  time,  according  to  a  study  by  the 
Air  Force  Research  Lab.  “Layering  the  technol¬ 
ogy  with  biometrics  and  video  improves  that 
accuracy,”  says  Richard  Sackett,  chief  engineer 
at  Radian.  Sackett  expects  companies  with 
critical  database  centers,  such  as  financial 
institutions,  to  use  security  kiosks  to  keep  the 
centers  secure.  -Stacy  Collett 


PHOTO  TOP  BY  GETTY  IMAGES:  ILLUSTRATION  BY  PAUL  HOWALT 


March  2005  www.csoonline.com  17 


Chemical  Perceptions 


Are  companies  that  house  large 
amounts  of  hazmats  prepared  for 
a  terrorist  attack?  According  to  a 
recent  survey,  not  as  well  as  they 
should  be.  New  Perspectives 
Consulting  Group  and  the  Paper, 
Allied-Industrial,  Chemical  and 
Energy  Workers  International 
Union  (PACE)  found  that  54  per¬ 
cent  of  the  PACE  workers  sur¬ 
veyed  at  125  sites  said  they  faced 
a  medium  or  high  likelihood  of  a 
catastrophic  event  from  a  terror¬ 
ist  attack.  Only  38  percent  said 
their  companies  had  taken  effec¬ 
tive  action  to  prepare  and 
respond  to  an  attack. 

The  safety  and  security  of 
employees  at  hazardous  chemical 
plants  and  the  communities  near 
them  was  an  issue  long  before  the 
events  of  9/11.  The  U.S.  Clean  Air 
Act  Amendments  of  1990 
required  the  U.S.  Environmental 
Protection  Agency  to  regulate  the 
establishment  of  risk  manage¬ 
ment  programs  at  the  15,000 
' 

sites  in  the  United  States  that  pro¬ 
duce  or  store  highly  hazardous 

chemicals— including  petroleum 

■ 

refineries  and  paper  mills,  and 
sites  that  use  nuclear  materials  or 

- ...  /  : 


manufacture  chemicals.  Those 
sites  are  now  deemed  potential 
terrorist  targets. 

In  the  area  of  prevention, 
according  to  73  percent  of  the  sur¬ 
vey  respondents,  systems  to  guard 
and  secure  the  plant  had 
improved;  43  percent  had 
improved  their  communications 
systems;  and  38  percent  had 
improved  training  and  procedures 
to  prevent  terrorist  attacks.  Irv 
Rosenthal,  senior  fellow  of  risk 
management  at  the  University  of 
Pennsylvania’s  Wharton  School, 
says  that  the  73  percent  number  is 
higher  than  he  expected.  “People 
in  business  are  coping  with  many 
crises.  The  fact  that  73  percent 
took  action  with  regard  to  terror¬ 
ism  on  a  voluntary  basis,  I  think 
that’s  surprisingly  high,”  he  says. 

One  area  Rosenthal  says 
deserves  closer  attention  from 
companies,  however,  is  worker 
and  community  involvement.  Just 
21  percent  of  union  respondents 
said  they  were  informed  of  plans 
relating  to  preventing  or  respond¬ 
ing  to  a  terrorist  attack.  The 
entire  survey  can  be  found  at 
www.pacehealthandsafety.org. 

-Todd  Datz 


Mixed  Reviews 
For  DHS  Grants 


DHS  Some  cities  and  states  celebrated,  while  others 
cried  foul  after  the  Department  of  Homeland  Security’s 
Office  for  Domestic  Preparedness  released  its  FY05 
federal  terrorism  preparedness  grants  last  December. 
Responding  to  complaints  from  big-city  mayors,  DHS, 
taking  into  account  the  fact  that  cities  such  as  New 
York  and  Washington,  D.C.,  deserve  bigger  pieces  of 

the  pie,  shifted 
more  of  the 
$2.5  billion 
awarded  to 
state  and  local 
governments 
to  urban 
areas,  under  the 
Urban  Area 
Security  Initia¬ 
tive  (UASI) 
program. 

The  terror¬ 
ism  prepared¬ 
ness  grant 
program  allo- 


FY05  Urban  Area  Security 
Initiative  Allocations 

TOP  FIVE  CITY  RECIPIENTS 


New  York  City 
Washington,  D.C. 
Los  Angeles 
Chicago 
Boston 


$208M 


FY05  Homeland  Security 
Grant  Program 

TOP  FIVE  STATE  RECIPIENTS 

New  York 
California 
Texas 
Illinois 
Florida 


$298M 


$283M 


SOURCE:  DHS,  CONGRESSIONAL  RESEARCH  SERVICE 


cated  $1.66  bil¬ 
lion  to  be 
divided  among 
states,  territo¬ 
ries  and  the 
District  of 

Columbia  under  the  existing  formula,  which  was  part 
of  the  USA  Patriot  Act  (0.75  percent  of  total  appropria¬ 
tions  go  to  each  state,  0.25  percent  to  each  territory). 
Another  $855  million  was  allocated  to  UASI. 

Some  city  officials  were  happier  than  others.  New 
York  City,  for  example,  received  a  grant  under  UASI  for 
$208  million,  an  increase  of  $161  million  from  2004. 
Memphis,  on  the  other  hand,  saw  its  share  shrink  from 
$10  million  in  2004  to  zero  in  2005.  And  the  state 
grant  formula  continued  to  elicit  howls  from  large 
states.  Why?  Because  the  formula  sets  aside  40  percent 
of  total  appropriations  to  be  divided  equally  among  the 
states,  regardless  of  population  or  other  risk  factors. 

The  result  is  that,  out  of  the  $2.5  billion  allotted  for 
homeland  grants,  a  state  such  as  Wyoming  is  slated  to 
receive  $27-80  per  capita  in  2005,  while  California  will 
receive  $8.05.  -T.D. 


18  www.csoonline.com  March  2005 


PHOTO  BY  GETTY  IMAGES 


The  world's  first  commercial  SONET  encryptor  with  speed  and  security. 

It's  the  perfect  combination  of  speed  and  security  with  no  data  overhead.  The  SafeEnterprise™  SONET  Encryptor  gives  you 
a  throughput  of  up  to  10  Gbps.  It  employs  the  highly  secure  AES  algorithm  with  a  256-bit  key  length.  And  it  does  all  of  this  with 
an  encryption  process  that  produces  no  data  overhead.  Designed  for  OC48  and  OCI92  networks,  the  SafeEnterprise  SONET 
Encryptor  will  blend  transparently  into  OC3/OCI2  systems.  So  why  sacrifice  speed,  security,  or  low  overhead  when  you  can  have 
all  three  to  secure  your  entire  chain  of  telecommunications?  Call  SafeNet  today  and  ask  about  the  SafeEnterprise  SONET  Encryptor. 

Call  1-800-696-8124  to  be  SafeNet  sure. 

www.safenet-inc.com/sonetl  104 


Copyright  2005,  SafeNet,  Inc.  All  rights  reserved.  SafeNet  and  SafeNet  logo  are  registered  trademarks  of  SafeNet,  Inc.  (NASDAQ:  SFNT) 


The  Foundation  of  Information  Security 


Top  Eight  Best  Practices 
for  I.T.  Disaster  Recovery 

Given  the  high  number  of  blackouts, 
hurricanes  and  other  disasters  that 
have  come  our  way  during  the  past 
few  years,  many  CIOs  are  wisely  reexam¬ 
ining  their  disaster  recovery  strategies. 
CIO  Executive  Council  members  share 
some  of  their  tried-and-true  methods 
with  CSO  readers. 

1.  Empower  your  staff.  Dedicate  a  depart¬ 
ment  within  IT  to  manage  business  conti¬ 
nuity  planning  and  disaster  recovery. 

2.  Divide  and  conquer.  To  ensure  busi¬ 
ness  involvement,  some  CIOs  separate 
business  continuity  planning  and  disaster 
recovery  into  two  initiatives,  each  with  its 
own  governance  and  goals. 

3.  Make  sure  the  plan  can  stand  alone. 

Develop  a  plan  that  will  work  with  or 
without  the  people  who  created  it. 

4.  Challenge  the  business.  Request  that 
individuals  think  about  how  long  they 
really  go  without  a  particular  application. 

5.  Align  disaster  recovery  with  applica¬ 
tion  development. 

6.  Test  your  crisis  management  team 
with  mock  disasters.  Tabletop  tests  won’t 
cut  it. 


7.  Try  before  you  buy.  Test  products  and 
new  technologies,  before  you  purchase. 

8.  Hold  postmortems  and  adjust.  What 
you  do  with  the  results  of  the  test  is  a 
critical  part  of  disaster  recovery  planning. 

EDITOR'S  NOTE:  THE  CIO  EXECUTIVE  COUNCIL  IS  A  PROFESSIONAL 
ORGANIZATION  FOR  CIOS  FOUNDED  BY  CXO  MEDIA.  CSO'S  PUBLISHER.  FOR 
MORE  INFORMATION,  GO  TO  WWW.CIOEXECUTIVECOUNCIL.COM. 


THE  SECURITY 

BLOTTER 

Breaches,  scams  and  other  recent  incidents  of  note 


Dirty  bomb  warning  goes  public  before  false 
alarm  declared.  Six  days  after  federal  and  state 
authorities  began  scouring  Boston  in  search  of 
16  foreign  nationals  who  allegedly  were  planning  to 
detonate  a  lethal  radioactive  bomb,  the  FBI  said  on 
Jan.  25  that  the  threat  was  not  credible.  “While  the 
threat  information  proceeded  from  criminal  activ¬ 
ity”— an  alien-smuggling  operation  at  the  U.S.- 
Mexico  border-“there  were,  in  fact,  no  terrorist 
plans  or  activity  under  way,”  the  FBI  statement 
said.  The  bureau,  which  had  issued  pleas  for  infor¬ 
mation  about  the  16  people,  including  13  Chinese 
and  two  Iraqis,  withdrew  that  request.  While 
authorities  had  emphasized  that  the  anonymous  tip 
about  the  bomb  threat  was  uncorroborated,  the 
news  prompted  Gov.  Mitt  Romney  to  cut  short  a 
trip  to  Washington,  D.C.,  and  activate  Massachu¬ 
setts’  emergency  bunker. 

U.S.  Secret  Service  agent’s  mobile  phone 
hacked  after  policy  breach.  A  California  grand 
jury  indicted  a  man  for  allegedly  hacking  into  the 
network  of  T-Mobile  USA  and  accessing  informa¬ 
tion  on  400  of  the  company’s 
customers,  including  informa¬ 
tion  from  the  account  of  a  Secret 
Service  agent,  Reuters  news 
agency  reported.  The  agent  had 
some  sensitive  materials  linked 
to  Secret  Service  investigations 
stored  on  T-Mobile’s  systems, 
violating  government  rules  that 
prohibit  the  storage  of  certain 
documents  on  nongovernment 
computer  systems.  The  com¬ 
pany  discovered  the  breach  in 
October  2003  and  reported  the  incident,  according 
to  Reuters.  A  Secret  Service  spokesman  said  the 
breach  did  not  compromise  ongoing  investigations. 

Systems  breach  prompts  university  to  issue 
broad  warning.  George  Mason  University  alerted 
32,000  students,  faculty  and  staff  on  Jan.  9  to  a 
security  breach  that  could  make  them  vulnerable 
to  identity  theft  or  credit  card  fraud,  The  Washing¬ 
ton  Post  reported.  GMU  officials  detected  a  net¬ 
work  intruder  on  Jan.  3  and  determined  that  one  of 
its  Windows  2000  servers  was  breached  before 
sending  out  the  alert.  On  Jan.  11,  university  offi¬ 
cials  gave  the  breached  server  to  Fairfax  County, 
Va.,  police  so  that  the  authorities  could  run  com¬ 
puter  forensic  tests,  The  Post  reported.  GMU  is 


home  to  the  Center  for  Secure  Information  Sys¬ 
tems,  which  works  to  improve  security  technology. 

New  threat  to  small-aircraft  pilots:  laser  pens. 

Federal  prosecutors  cited  David  Banach,  a 
38-year-old  fiber-optics  technician  from  Parsip- 
pany,  N.J.,  for  allegedly  shining  a  laser  pen  into  the 
cockpit  of  a  small  passenger  jet  and  a  helicopter, 
and  then  lying  about  his  actions  to  federal  agents, 
The  New  York  Times  reported  on  Jan.  5.  Around 
the  nation,  pilots  had  reported  at  least  seven  inci¬ 
dents  of  concentrated  beams  of  light  shining  from 
below  into  aircraft  cockpits  since  Christmas,  The 
Times  noted.  Aviation  experts  say  such  lights  can 
disorient  pilots,  and  prosecutors  plan  to  pursue 
cases  such  as  Banach’s  to  deter  terrorism.  The 
charge  against  Banach,  of  interfering  with  a  mass 
transit  vehicle,  is  a  felony  under  the  USA  Patriot 
Act.  Banach’s  lawyer  said  he  would  plead  innocent. 

China  accuses  American  pair  during  piracy 
crackdown.  Two  Americans  were  put  on  trial  in 
China  in  January  for  allegedly  selling  close  to 

$1  million  worth  of  movies 
online,  The  Associated 
Press  reported.  Chinese 
state  media  have  reported 
on  the  case  as  an  effort  by 
the  Beijing  government, 
under  pressure  from  the 
United  States  and  other 
nations,  to  step  up 
enforcement  of  laws 
against  illegitimate  DVD 
and  CD  sales.  The  Ameri¬ 
cans  are  on  trial  with  two 
alleged  Chinese  accomplices.  They  could  face  up 
to  15  years  in  prison. 

SHORT  TAKES:  The  FBI  is  reviewing  its  $170  million 
paperless  information  sharing  system,  known  as  the 
Virtual  Case  File,  which  bureau  officials  said  does¬ 
n’t  work  after  four  years  in  development,  The  Associ¬ 
ated  Press  reported....  Phishing  attacks  rose 
24  percent  per  month  from  July  through  November, 
to  1,707  incidents  in  November,  the  Anti-Phishing 
Working  Group  said....  Philip  A.  Cummings,  35,  of 
Cartersville,  Ga.,  a  former  software  company  help 
desk  worker  who  touched  off  the  nation’s  largest 
ID  theft  case,  was  sentenced  to  14  years  in  prison 
by  a  federal  judge.  The  case  caused  an  estimated 
$50  million  in  damage.  -Kathleen  S.  Carr 


Gov.  Mitt  Romney  activated  Massa' 
chusetts'  emergency  center  during 
what  turned  out  to  be  a  dirty  bomb 
false  alarm. 


20  www.csoonline.com  March  2005 


ILLUSTRATION  BY  PAUL  HOWALT;  PHOTO  BY  AP/WIDE  WORLD 


To  gain  access  to  the  financial  world, 
you  have  to  go  through  Software  House. 

Our  fully  scaleable  security  management  systems  are  used  in  some  of  the  world's 
leading  financial  institutions.  Software  House  solutions  give  you  real-time  control 
over  your  entire  enterprise  access  system  and  integrate  with  a  wide  variety  of  other 
security  and  corporate  systems.  Take  control  with  the  leader  in  security  management 
systems  —  Software  House. 

•  OCURE®  800/8000  security  management  solution 

•  iSTAR™  intelligent  controllers  with  DHCP  support 

•  Solid  integration  platform  for  streamlined  control  of  access,  digital  video,  ERP  HR 

C-CURE  800  Security  Management  System  systems,  asset  management  and  more 

www.swhouse.com 


In  time  for  spring  training,  CSO  spoke  with  Colin  Hagen,  vice 
president  of  licensing  at  Major  League  Baseball,  about 
memorabilia  authentication 


~Tr  "Then  it  comes  to  brand  security, 

%  /\  /  Major  League  Baseball  leads  the 
T  t  way  in  the  sports  industry  with  its 
comprehensive  memorabilia  authentica¬ 
tion  program.  All  keepsakes,  from  auto¬ 
graphs  to  team-branded  bases  and  dugout 
lineup  cards— are  affixed  with  a  hologram 
sticker  by  an  authenticator  from  Deloitte  & 
Touche.  About  five  authenticators  work  in 
each  city  where  Major  League  Baseball  is 
played.  One  of  the  five  watches  all  auto¬ 
graph  signings  and  attends  all  MLB  games. 
Each  hologram  produced  for  MLB  by 
OpSec  U.S.,  a  provider  of  security  and 
authentication  technologies,  has  a  unique 
ID  number,  which  is  logged  into  an 
MLB.com  database,  along  with  informa¬ 
tion  pertinent  to  the  object,  such  as 


who  signed  it  and  when.  All 
of  that  information  is  then 
posted  on  MLB.com,  for 
consumers  to  verify  infor¬ 
mation. 


CSO:  How  did  the 
authentication  program 
start? 

Colin  Hagen:  In  the  mid  ’90s 
the  FBI  launched  Operation  Bullpen 
[an  FBI  investigation  prompted  by  auto¬ 
graph  forgery]  and  found  that  approxi¬ 
mately  75  percent  of  all  autographs  are 
fake.  That  was  a  hurdle  baseball  had  to 
overcome.  Authenticated  items  usually  go 
for  about  twice  as  much  as  unauthenti¬ 
cated  items.  People  will  pay  a  little  bit 
more  to  know  they  are  real.  Now,  when 
they  see  [the  hologram  with]  the  silhouet¬ 
ted  batter  logo  on  it,  they  see  a  good  house¬ 
keeping  seal  of  approval. 

If  you  try  to  take  the  hologram  off,  it  is 
destroyed;  you  can’t  reapply  it  on  anything 
else.  I  can’t  take  it  off  my  Pokey  Reese  ball 
and  put  it  on  my  Pedro  Martinez  ball. 


How  do  you 
authenticate 
memorabilia? 

About  five 
Deloitte  & 

Touche  authen¬ 
ticators  are  in 
every  city  where 
Major  League 
Baseball  is  played.  One  of 
the  authenticators  goes  to 
every  game.  The  teams  on  a 
day-to-day  basis  decide  what  they 
want  to  authenticate— items  like  the  dugout 
lineup  card,  broken  bats  or  a  set  of  bases. 

And  say  Manny  Ramirez  is  going  to  be 
having  an  autograph  signing  with  one  of 
our  licensees.  They’ll  plug  in  when 


he’ll  come,  how  many  items  they 
have  and  what  the  breakdown 
is  of  the  items  he’s  going  to 
sign,  and  the  local  Deloitte  & 
Touche  rep  will  bring  the 
holograms.  The  local  reps 
are  in  charge  of  their 
own  holograms.  The 
authenticator  will  apply 
holograms  to  autographed 
items  at  the  signing  itself  and 
then  will  destroy  leftover  holo¬ 
grams  on  the  spot. 


How  can  fans  find  out  if  their 
memorabilia  is  authentic? 

Each  hologram  is  uniquely 
numbered.  After  authenticat¬ 
ing,  the  rep  wall  log  informa¬ 
tion  into  the  MLB.com 
database  so  that  you,  the  con¬ 
sumer,  can  type  in  that  holo¬ 
gram  number  and  confirm  all 
the  information  about  that 
item.  So  if  you’ve  got  a 
game-used  base  from 


the  World  Series,  you  can  go  to  MLB.com, 
punch  in  the  number,  and  it  will  tell  you 
this  is  a  base  from  Game  2  of  the  2004 
World  Series,  Boston  Red  Sox  versus  the 
Cardinals,  or  this  ball  was  signed  by  Manny 
Ramirez  on  such  and  such  day,  and  may 
even  give  the  licensing  information,  so  it 

will  serve  as  your  backup  and  your 
database.  And  the  beauty  of  it 
is:  Instead  of  a  certificate  of 
authenticity,  which  can 
be  easily  faked  or  lost 
three  months  do  war  the 
road,  you  can  go  right 
to  the  Internet  to 
retrieve  the  infor¬ 
mation. 


Are 
there 
any  revi¬ 
sions  planned  to  the  authentica¬ 
tion  technology? 

The  hologram  is  overt.  The  consumer  sees 
that  silver  hologram,  it’s  a  distinguishing 
feature  between  an  item  that  has  been 
authenticated  and  one  that  has  not.  But 
covert  mechanisms,  things  not  apparent  to 
consumers,  within  the  authentication 
process  will  continue  to  grow.  We’d  be 
naive  to  think  that  in  15  years  the  hologram 
is  all  we’ll  need. 


What  are  your  thoughts  on  other 
professional  sporting  agencies 
using  such  a  comprehen¬ 
sive  authentication 
process? 

We’d  love  to  see  the  other 
leagues  do  this.  We’ve  certainly 
championed  it.  I  believe  they  are 
all  looking  at  their  own 
processes.  There  really  does  need 
to  be  a  standard  in  this  industry. 
We  at  Major  League  Baseball  felt 
it  was  important  to  take  the  lead¬ 
ership  role  because  we  have  the 
lion’s  share  of  the  collectibles 
marketplace.  The  responsibility 
comes  with  that  to  step  up  and  put 
something  in  place  to  maintain  the  trust 
between  our  fans  and  baseball. 

-Diann  Daniel 


Baseballs  Reality  Check 


22  www.csoonline.com  March  2005 


PHOTOS  BY  STEPHEN  WEBSTER 


Retailers  ring  up  more  profits  with 
American  Dynamics. 


Retailers  everywhere  count  on  American  Dynamics  for  video  security  that  helps  them  reduce  internal  shrinkage  and  deter 
shoplifting.  That's  because  American  Dynamics  sets  the  standard  for  intelligent  and  innovative  video  technology.  Our  products 
are  built  to  last,  easy  to  install  and  easy  to  use.  We  offer  a  comprehensive  selection  that  addresses  virtually  every  application, 
big  or  small.  So  protect  your  inventory  with  American  Dynamics,  and  watch  your  bottom  line  grow. 


Intellex®  digital  video  management  systems 
SpeedDome®  programmable  dome  cameras 
MegaPower™  matrix  switcher/controller  systems 
IntelleView  transaction  monitoring  solutions 
Fixed  cameras,  monitors  and  accessories 


www.americandynamics.net 


Matrix  Switcher  SpeedDome  Ultra 


LCD  Monitor 


Risk  Avoidance 

A  new  framework  from  COSO  aims  to  help  companies 
evaluate  risk  across  the  enterprise 


ENTERPRISE  RISK 
MANAGEMENT  The  CSO’s  job  is 
all  about  risk.  And  if  the  Committee  of 
Sponsoring  Organizations  (COSO)  of 
the  Treadway  Commission  has  its  way, 
soon  everyone  else’s  job  will  be  about 
risk  too. 

COSO,  a  voluntary  council  with 
members  from  five  accounting  organi¬ 
zations,  made  its  name  with  its  inter¬ 
nal  control  framework,  which  was 
cited  in  the  Sarbanes-Oxley  Act  as  an 
example  of  controls  companies  could 
use  to  prevent  fraudulent  financial 
reporting.  Now  the  group  has  released 
a  framework  about  enterprise  risk 
management  (ERM),  of  which  inter¬ 
nal  controls  are  only  a  small  part. 

“ERM  provides  a  comprehensive 
way  for  companies  to  avoid  surprises,” 
contributor  Rick  Steinberg  told  the 
crowd  at  what  amounted  to  a  release 
party  for  the  document  in  midtown 
Manhattan  in  late  September.  “That’s 
the  bottom  line.” 

The  framework  breaks  ERM  into 
four  categories— strategic,  operational, 
reporting  and  compliance— and 


assumes  that  every  risk  can  be  avoided, 
accepted,  reduced  or  shared.  Right 
now,  few  companies  outside  of  finan¬ 
cial  services  are  looking  at  risk  in  such  a 
formal  way,  according  to  Steinberg  and 
others.  However,  executives  who  look 
at  risk  in  a  comprehensive  way  will  be 
able  to  add  to  their  company’s  bottom 
line,  by  evaluating  how  risks  interrelate 
so  that  they  can  make  better  decisions 
about  which  risks  are  worth  taking. 

Now  that  the  framework  has  been 
finalized,  it’s  up  to  companies  to  decide 
if  they  want  to  adopt  it— and  up  to 
CSOs  to  make  sure  that  their  expertise 
in  operational  risk  management  is  a 
key  part  of  this  implementation. 

“The  marketplace  will  now  decide  if 
this  is  useful,”  says  longtime  chairman 
John  Flaherty,  the  former  general 
auditor  of  PepsiCo.  “If  the  product  is 
as  good  as  we  think  it  is,  it’s  going  to 
sell,  and  companies  will  adopt  it.” 

A  free  executive  summary  of  the 
framework  is  available  at  www.coso.org, 
where  visitors  can  also  purchase  the 
two-volume  set  for  $75. 

-Sarah  D.  Scalet 


24  www.csoonline.com  March  2005 


HANDWRITING  ANALYSIS  What’s  in  a 
bump?  A  lot,  if  you’re  trying  to  determine  the 
authenticity  of  a  piece  of  handwriting. 

That  was  the  conclusion  of  researchers  from  the 
Universita  degli  Studi  Roma  Tre  in  Rome  who 
recently  published  a  paper  on  a  new  method  for 
handwriting  analysis. 

The  team  of  scientists,  led  by  Giuseppe  Schirripa 
Spagnolo,  studied  the  bumps  created  when  two  or 
more  pen  strokes  overlap.  To  uncover  the  bumps, 
the  scientists  scanned  a  document  with  laser  beams 
to  make  a  digital,  3-D  hologram  of  the  pen  strokes. 
They  could  then  reconstruct  the  sequence  of  pen 
strokes  that  created  the  writing  sample. 

That’s  an  improvement  over  existing,  two- 
dimensional  analysis,  which  relies  on  studying  the 
sequence  of  strokes  that  make  up  a  sample  of  hand¬ 
writing. 

The  technique  provides  a  new  way  for  forensic 
handwriting  experts  to  determine  facts  about  the 
dynamics  of  writing,  such  as  whether  a  stroke  was 
drawn  clockwise  or  counterclockwise.  Such  informa¬ 
tion  is  crucial  in  determining  the  accuracy  of  hand¬ 
writing  analysis,  but  it  is  not  easily  determined  using 
traditional,  two-dimensional  analysis. 

The  technique  is  also  an  improvement  over  exist¬ 
ing  handwriting  analysis  because  it  doesn’t  involve 
treating  the  handwriting  sample  with  foreign  sub¬ 
stances  to  yield  information— a  plus  when  dealing 
with  old  or  fragile  samples. 

-Paul  Roberts 


PHOTO  LEFT  COURTESY  UNIVERSAL  STUDIOS;  TOP  BY  GETTY  IMAGES 


tfFJIu+henex 


Strong  Authentication 


e-Security 
Less  Overhead 


r 


The  Authenex  A-Key  hybrid  token  offers  USB  and  one-time 
password  functionality  for  your  company's  strong  two- 
factor  authentication  needs.  Whether  those  needs  are  VPN, 
LAN,  or  Web,  the  Authenex  A-Key  works  in  conjunction  with 
the  ASAS  authentication  server  to  offer  strong  two-factor 
authentication  with  or  without  PKI.  The  A-Key  also  provides 
128-bit  AES  encryption  and  secure  file  exchange.  The  only 
solution  that  delivers  total  mobility  and  maximum  flexibility  is 
waiting  for  you. 


Strong  Authentication 
One-Time  Password 
Full  PKI  Support 


Available  Now! 


Hard  Disk /File  Encryption 
Secure  File  Exchange 


Get  your  free  evaluation  A-Key  now* 

Visit  us  on  the  web  at  www.authenex.com/cso 
Tel.  +1  (877)  288-4363  or  +1  (510)  324-0230 


Total  Mobility 


metcintfo 


Microsoft 

CERTIFIED 


^riSign" 


•  Certain  terms  and  conditions  may  apply 

©  Authenex,  Inc  All  rights  reserved  Authenex.  A-Key  and  associated  logos  are  registered  or  unregistered 
trademarks  ot  Authenex.  Inc.  All  other  trademarks  in  this  document  are  the  sole  property  ol  their  respec¬ 
tive  owners 


The  FACT  Act 

Recent  provisions  to  the  Fair  and  Accurate  Credit  Transactions  Act  of 
2003  affect  every  business  that  uses  credit  reports  By  Paul  Roberts 


HE  PROVISIONS  OF  THE 
Fair  and  Accurate  Credit  Transactions  (FACT) 
Act  of  2003  that  took  effect  Dec.  1,  2004, 
grant  new  rights  and  privacy  protections  to 
U.S.  consumers.  But  the  law  imposes  strict 
new  requirements  on  companies  that  trade  or 
use  consumer  credit  information. 

FACT  was  signed  by  President  Bush  on  Dec. 
3,  2003.  The  law  makes  major  changes  to  the 
Fair  Credit  Reporting  Act  (FCRA)  of  1970, 
which  first  gave  consumers  the  right  to  obtain 
their  credit  information  from  insurers,  lenders 
and  credit  bureaus.  But  the  reach  of  the  new 
amendments  extends  to  a  wide  range  of  busi¬ 
nesses  that  harbor  sensitive  data  on  employees 
or  customers.  In  short,  even  if  your  employer 
isn’t  in  the  financial  services, 
insurance  or  credit  reporting  busi¬ 
ness,  the  FACT  Act  is  required 
reading  for  CSOs  who  don’t  want 
to  find  themselves  on  the  wrong 
side  of  a  consumer  lawsuit. 

FACT  extends  the  reach  of 
FCRA  to  provide  specific  protec¬ 
tions  from  fraud  and  identity 
theft,  mandating  that  merchants 
and  credit  agencies  tighten  their 
systems  for  handling  consumer 
fraud  complaints  and  for  protecting  sensitive 
information— such  as  credit  card  numbers— 
from  unauthorized  disclosure. 

FACT  has  already  had  a  huge  impact  on 
companies  that  traffic  in  credit  information, 
forcing  them  to  develop  new  systems  to 
communicate  with  consumers  about  changes 
to  their  credit  status. 

At  ChoicePoint,  a  provider  of  identification 
and  credential  verification  services  for  the 
insurance  and  real  estate  industries,  FACT 
prompted  major  changes  in  the  way  the 
company  communicates  with  the  public,  says 
Steve  Keen,  assistant  vice  president  of 


customer  and  consumer  services. 

FACT  required  ChoicePoint  to  set  up  a 
system  to  get  credit  information  to  con¬ 
sumers.  The  company  added  an  interactive 
voice  response  system  and  a  Web  portal  so 
that  customers  can  order  their  reports.  With 
those  changes  came  significant  investments 
in  software  development,  labor,  employee 
training  and  infrastructure  to  support  the 
new  credit  report  request  service  and  to 
prepare  for  a  possible  flood  of  requests  once 
the  FACT  provisions  were  ratified,  Keen  says. 

While  its  major  provisions  pertain  to  credit 
reporting  agencies  and  the  companies  that 
furnish  them  with  information,  CSOs  should 
not  be  lulled  into  a  false  sense  of  security  when 
it  comes  to  the  FCRA  and 
the  FACT  Act  amend¬ 
ments,  says  Tena  Friery, 
research  director  of  the  Pri¬ 
vacy  Rights  Clearinghouse. 

In  fact,  any  company 
that  uses  credit  reports— 
as  part  of  its  hiring  or 
promotions  process,  for 
example— is  subject  to 
FCRA  and  should  care¬ 
fully  review  the  new 
FACT  amendments  to  FCRA,  Friery  says. 

CSOs  should  consider  setting  up  an  inter¬ 
nal  business  review  council  of  lawyers,  privacy 
experts,  IT  security  experts  and  representa¬ 
tives  from  their  organizations’  business  units 
to  weigh  the  requirements  of  FACT  and  other 
federal  regulations,  says  Howard  Schmidt, 
former  White  House  cybersecurity  adviser 
and  current  CISO  of  eBay.  ■ 


News  from  Washington 


To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


“CSOs  should  not 
be  lulled  into  a  false 
sense  of  security 
when  it  conies  to  the 
FCRA  and  the  FACT 
Act  amendments.” 

TENA  FRIERY,  RESEARCH 
DIRECTOR  OF  THE  PRIVACY 
RIGHTS  CLEARINGHOUSE 


Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 

Spyware  is  back  on  the  docket. 

Rep.  Mary  Bono  (R-Calif.)  reintroduced 
a  replica  of  her  initial  antispyware  bill 
that  passed  the  House  of  Representa¬ 
tives  last  year  but  failed  in  the  Senate. 
IDG  News  (a  sister  company  to  CSO’s 
publisher,  CXO  Media)  reports  that  the 
legislation  would  allow  fines  of  up  to 
$3  million  for  makers  of  software  that 
steals  personal  information  from  a 
user’s  computer  or  hijacks  its  browser. 

Congress  passed  an  employee 
background  check  bill.  The  measure 
allows  employers  to  request  FBI  crimi¬ 
nal  background  checks  on  anyone 
applying  for  or  holding  positions  as 
private  security  officers.  The  measure  is 
part  of  the  National  Intelligence  Reform 
Act  of  2004  (S.  2845). 

Congressional  representatives 
seek  (again)  to  create  a  higher¬ 
ranking  cybersecurity  position 

within  the  Homeland  Security  Depart¬ 
ment’s  Information  Analysis  and  Infra¬ 
structure  Protection  Directorate. 

The  DHS  Cybersecurity  Enhance¬ 
ment  Act  of  2005  (H.R.  285)  was 
recently  reintroduced  by  Reps.  Zoe 
Lofgren  (D-Calif.)  and  MacThornberry 
(R-Texas).  The  legislation,  which  was 
assigned  to  the  House  Homeland  Secu¬ 
rity  Committee  on  Jan.  6,  would  create 
the  position  of  an  assistant  secretary 
for  cybersecurity  who  would  have 
authority  over  cybersecurity  policy  and 
program  management. 

The  Transportation  Security 
Administration’s  maritime  worker 
identification  card  program  has 
come  to  a  halt.  According  to  a  recent 
Government  Accountability  Office 
report,  TSA  missed  its  August  2004 
deadline  to  begin  issuing  the  smart 
cards,  and  the  agency  does  not  yet  have 
an  approved  plan  for  the  next  phases  of 
the  project.  TSA  officials  say  that  they 
intend  to  complete  a  plan  to  guide  the 
prototype  card  system. 


26  www.csoonline.com  March  2005 


PHOTO  BY  GETTY  IMAGES 


S  EC  U  R  I  TV 


Confidence  Inspired 


15+ 

Number  of  years  it's  led  the  way. 
300+ 

Number  of  products  and 
solutions  it  integrates  with. 

20,000,012 

Number  of  others  just  like  it 
distributed  around  the  globe. 


www.rsasecurity.com/securid 


iifjWTPWiffMWMBpMiippimra  v ^  ^ :  v'  v.s.-  rvv 

@2004  RSA  Security  Inc.  All  rights  reserved.  RSA,  RSA  Security,  and  SecurlD  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc  ,  in 
the  United  States  and/or  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the 
United  States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies 


Smart  Move. 


Video  Surveillance 

John  Kings  ley- Hefty  is  a  professional  architect  who  has 
been  involved  in  building  security  design  for  more  than  28 
years.  He  retired  from  3M's  Corporate  Security  Services 
Department  where  he  was  responsible  for  integrated 
security  systems  and  specialized  in  security  design.  In  1997, 
he  formed  Secure  Environments,  which  helps  clients  design 
security  and  integrated  business  systems.  He  answered 
readers’  questions  about  video  surveillance. 


Q:  What  are  the  best  practices  for  handling  and 
storing  CCTV  tapes? 

A:  The  key  is  building  a  tape  swap  and  storage  schedule 
that  rerecords  the  tapes  equitably.  Tapes  will  wear,  over 
time,  to  the  point  of  failure.  Color-coding  by  day  and/or 
shifts,  and  numbering  by  week  works  well.  The  key  is 
designing  your  system  around  your  required  video 
storage  retention  schedule.  To  ensure  that  tapes  are 
rerecorded  according  to  the  proper  sequence  and 
schedule,  shuttling  tapes  per  day  or  week  to  a  separate 
secure  area— or  in  some  cases,  offsite— works  well. 

Q:  I  see  organizations  converging  their  physical  and 
information  security  departments.  Do  you  see  the 
departments  sharing  alerting  and  monitoring 
resources? 


Q:  What  new  video  surveillance 
technologies  are  on  the  horizon? 

A:  Digital  technology  will  go  through 
improvements  in  speed  and  compression 
standards.  Within  the  next  two  years  we 
will  see  the  elimination  for  the  need  of 
digital  video  recorders  (DVRs).  I  expect 
that  central  servers  will  be  able  to  service 
most  customer  sites  worldwide.  The  key 
will  be  the  customers  and  their  willing¬ 
ness  to  invest  in  or  upgrade  their  com¬ 
munications  paths  in  terms  of  speed 
and  bandwidth. 

Q:  Are  there  any  digital  video  solu¬ 
tions  for  small  businesses? 

A:  We  are  seeing  the  digital  video  indus¬ 
try  continue  to  simplify  its  products  to  reduce  costs  and  improve  performance 
and  features,  following  the  same  progression  that  we  have  all  seen  in  the  PC 
world  over  the  past  10  years.  For  example,  GE  has  just  introduced  a  new  prod¬ 
uct,  which  is  a  minimal  four-camera  device  that  is  very  well  priced  with  basic 
operating  features.  I  expect  that  the  other  players  in  the  industry  have  or  are 
about  to  release  similar  solutions. 

Q:  I  don’t  have  the  budget  to  redo  my  aging  system,  and  I  need  to  transi¬ 
tion  to  newer  hardware  and  technology.  How  do  I  go  about  that  for  access 
control,  digital  video  and  alarms? 

A:  For  access  control,  watch  the  trade  shows  for  new  Web-based  systems  that 
will  offer  significant  savings;  in  many  cases  you  will  be  able  to  reuse  your  read¬ 
ers,  door  wire  and  a  bridge  to  the  Internet.  You  may  also  avoid  the  ownership 
of  software  and  replace  that  expense  with  a  very  modest  user  fee.  For  video,  if 
you  are  currently  using  multiplexers  and  switchers,  the  new  “stripped  down” 
DVRs  will  give  you  the  opportunity  to  upgrade  your  front  end  into  the  digital 
world,  without  forcing  you  to  upgrade  your  entire  system. 


A:  Sharing  resources  is  possible.  The  key 
would  be  the  human  resource  standard 
required,  followed  by  the  training,  orien¬ 
tation  and  procedures  to  support  this 
integrated  service.  I  see  this  question  as  a 
definite  trend;  all  organizations  are  look¬ 
ing  for  efficiencies  and  staff  reductions. 
This  wall  definitely  affect  the  guard  serv¬ 
ices  industry  in  terms  of  the  types  of  offi¬ 
cers  required. 

Q:  Our  video  equipment  is  old.  Can 
you  make  any  recommendations  for 
a  system  that  won’t  bankrupt  us  and 
will  give  us  90  days  of  storage? 

A:  This  is  a  loaded  question,  as  we  need 
to  define  the  quality  of  the  video  to  be 
recorded  in  terms  of  frames  per  second, 
the  number  of  sites  included  in  the  sys¬ 
tem  and  how  that  calculates  wuth  the  overall  datastor¬ 
age  space  required  to  retain  a  90-day  schedule.  With  a 
digital  system,  you  will  have  the  ability  to  store  locally 
and  offsite.  Most  companies  prefer  to  store  locally.  If  the 
camera  views  may  be  configured  to  take  advantage  of 
video  motion  detection,  motion  activated  activity  is  very 
effective  in  reducing  the  volume  of  video  needed  for 
retention.  This  significantly  reduces  the  storage  capacity 
requirements,  which  will  reduce  the  costs  for  the  reten¬ 
tion  portion  of  the  system.  Again  storage  may  be  local  or 
in  combination  with  offsite  servers  and  services.  The  key 
is  optimizing  the  volume  required  for  retention.  ■ 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to  hear  from?  Send 
your  thoughts  to  Departments  Editor  Kathleen  S.  Carr  at  kcarr@cxo.com. 
See  what  your  peers  are  discussing  at  www.csoonline.com/counsel. 


28  www.csoonline.com  March  2005 


Demand  Excellence 


For  more  than  30  years  ISACA  has  been  certifying 
professionals  with  its  flagship  certification,  CISA 
(Certified  Information  Systems  Auditor"),  the  globally 
accepted  standard  among  IS  audit,  control  and 
security  professionals.  In  2002,  ISACA  introduced 
CISM  ”  (Certified  Information  Security  Manager"), 
a  groundbreaking  credential  specifically  designed  for 
information  security  professionals  who  manage  an 
information  security  function  of  an  enterprise  or  have 
information  security  management  responsibilities. 
Together  these  programs  have  certified  over 
40,000  people  worldwide. 


CERTIFIED  INFORMATION 
SYSTEMS  AUDITOR 


CERTIFIED  INFORMATION 
SECURITY  MANAGER " 


•  ■ 


International  exposure,  recognition  of  advanced 
job  skills,  participation  with  a  global  leader  in 
IT  certification-all  of  these  benefits  are  obtained 
through  achievement  of  an  ISACA  certification. 
For  more  information,  visit  the  ISACA  web  site  at 
www.isaca.org/certification. 


Register  online  now  for  the 

'  T'  ;T>'  • 

11  June  2005  exams  at 
www.isaca.  org/examreg 


mlf 


■  '■  fi-  ' 


m 


*  '  h 

***. 


,;  -r‘>w*; 

mV*  #w 

'•'*%%•’ W;  ',;  ?V 

m\mw.  I 


5 


S'  !*il 

1  ■•-  N  - 


Once  upon  a  time, 


,  home  life  and  work  life  were 

completely  separate  for  most  employees.  Well,  that’s  what  they 
tell  us,  anyway.  Whether  that’s  a  true  story  or  a  fairy  tale,  it’s 
clearly  not  the  case  today.  More  and  more  employees  do  some 
or  all  of  their  work  from  home.  And  they  use  those  same 
home  computers  to  surf,  shop  and  bank  on  the  Net.  And  for 
instant  messaging.  And  to  download  music  files  and 
games  and  heaven-knows-what-all. 

And— this  is  the  killer— even  when  Jack  the 
Accountant  knocks  off  for  the  evening,  often  Jack  Jr.  hops 
into  the  desk  chair  and  fires  up  the  browser.  So  whatever 
scumware  Jack  Jr.  dredges  up  off  the  bottom  of  the  Web 
may  very  well  get  dropped  onto  the  corporate  network  the 
next  time  Dad  logs  in. 

Of  course,  every  sane  organization  has  a  corporate  policy 
in  place  regarding  what  employees  should  and  should  not 
do  with  their  computers.  But  anecdotal  evidence  suggests, 
ahem,  less  than  100  percent  compliance.  A  good  number  of 
workers  fail  to  implement  all  those  mandated  safeguards,  in  some  cases  because  they 
lack  technical  expertise,  and  in  others  perhaps  because  they  simply  think  the  threats 
aren’t  as  threatening  as  security  wonks  would  like  them  to  believe. 

So  CSO  thought  it  would  be  valuable  to  look  at  how  CISOs  handle  the  computer 
security  needs  of  their  own  homes.  We  asked  three  infosecurity  leaders  for  a  highly 
detailed  list  of  the  security  products  and  practices  they  actually  use— not  because 
policy  compels  them  but  because  these  are  the  tools  and  steps  they  consider 
necessary  to  keep  their  own  computers  safe.  The  three  responses  that  follow 
represent  a  range,  from  mildly  cavalier  to  extremely  thorough.  (Only  the  guy 
in  the  middle  of  that  range,  Dan  Lohrmann,  CISO  of  the  state  of  Michigan,  opted  to 
let  us  reveal  his  identity.)  CSO  readers  will  find  their  responses  valuable  as  pass- 
along  material  for  corporate  employees,  who  can  identify  the  setup  similar  to  their 
own  and  note  how  that  CISO  approaches  home  computing  security. 

CSO  editors  Kathleen  S.  Carr,  Sarah  D.  Scalet  and  Derek  Slater  contributed  to 
this  report.  Send  feedback  to  dslater@cxo.com. 


CISOs  are  always 
pushing  computer 
security  policies. 
We  asked  three  of 
them  to  forget  the 
policies  and  show 
us  how  they  handle 
security  on  their 
own  home  systems. 


30  www.csoonline.com  March  2005 


Secure  Computing 


CISO  OF  A  FORTUNE  500  TRANSPORTATION  COMPANY 

Straightforward  Setup,  Simple  Solutions 

Our  first  CISO,  whose  company  requested  anonymity,  has  a  fairly  simple 
home  computing  setup:  two  computers,  which  are  not  networked  to  each 
other.  His  kids  are  away  at  college,  so  there  are  no  teenagers  downloading 
and  IMingon  his  systems. 

These  factors  create  a  situation  in  which  the  CISO  is  comfortable  using 
fairly  limited  security  technology.  However,  he’s  religious  about  certain 
key  measures:  cautiously  configured  firewall  software,  frequently  updated 
antivirus  and  antispyware  programs,  and  great  caution  with  e-mail. 

Nontechnical  employees  with  less  complex  home  computing  environ¬ 
ments  will  find  this  example  easy  to  emulate  (and  effective  too)  if  they 
take  their  cue  from  his  disciplined  approach  to  antivirus,  antispyware 
and  procedural  safeguards. 


THE  SETUP 

■  What  he  has:  One  PC  (Pentium  4)  and  one  lap¬ 
top  (Dell  Inspiron),  both  running  Windows  XP 
without  Service  Pack  2  (at  least  not  yet).  No 
local  area  network  in  place  at  home,  although 
he  is  testing  wireless. 

■  How  he  connects:  Broadband  cable  modem. 
Connects  to  work  via  a  virtual  private  network 
(VPN). 

■  About  the  family:  Wife  is  a  power  user  of 
Microsoft  Office,  Microsoft  Print  Shop  and  the 
Web,  and  the  kids  use  the  computer  extensively 
when  they  are  home  from  college.  The  family 
makes  some  online  financial  transactions  using 
applications  from  theirfinancial  services  sup¬ 
plier.  They  don't  use  instant  messaging. 

■  How  he  handles  backups:  Iomega  products,  a 
USB  token  and  CD  writer  on  the  laptop. 

TECH  TALK 

■  Relies  on  the  security  protection  provided  by 
his  ISP,  Cablevision’s  Optimum  Online.  Tried 
Norton  AntiSpam  but  could  not  install  it  effec¬ 
tively  on  Windows  XP.  It  was  affecting  broad¬ 
band  performance,  so  he  removed  it  and  relies 
instead  on  the  broadband  service  provider's 
implementation  of  Brightmail  Anti-Spam.  The 
broadband  provider  also  blocks  most  pop-ups. 

■  Uses  Symantec’s  Norton  AntiVirus  and  Norton 
Internet  Security  on  the  laptop,  and  ZoneAlarm 
Pro  and  the  Norton  AntiVirus  on  the  desktop. 
LiveUpdate  runs  automatically  every  Friday 
night  to  update  virus  definitions. 

■  Uses  PestPatrol  and  Spybot  Search  &  Destroy 
to  combat  spyware  and  adware.  Both  automat¬ 
ically  run  at  least  once  per  week. 


■  Web  browsers  at  their  default  privacy  and 
security  settings. 

■  Does  not  use  any  Web  monitoring  or  ISP- 
blocking  programs,  because  only  adults 
live  at  home. 

PRACTICALS 

Encryption:  The  CISO  encrypts  only  Quicken 
financial  files. 

Passwords:  The  family  uses  strong,  frequently 
changed  passwords  for  online  financial  accounts 
and  “ease-of-use  passwords"  for  online  shopping 
and  e-mail.  “I  don’t  really  practice  what  I  preach 
at  work,”  he  admits.  “Users  at  home  complain  too 
much.” 

Policies:  Has  instituted  a  “just  say  no”  policy  to 
any  program  requesting  to  act  as  a  server  or  to 
access  the  Internet  that  is  not  explicitly  author¬ 
ized  to  do  so.  Family  members  do  not  store  sensi¬ 
tive  personal  information  such  as  passwords  and 
account  numbers  on  the  hard  drive,  nor  are  they 
supposed  to  open  any  e-mail  unless  they  know 
who  sent  it. 

THE  KID  FACTOR 

“The  kids  understood  [’safe  computing’  con¬ 
cepts]  fine,  but  they  used  old  Napster  and  Kazaa 
anyway,  until  they  got  burned.  Now  they  are  more 
careful,"  says  this  CISO.  And  what  about  when 
other  people’s  kids  visit  the  CISO’s  home?  “We 
physically  lock  up  the  machines.” 


CISO,  STATE  OF  MICHIGAN,  DAN  LOHRMANN 

More  Systems,  Kids,  Defenses 

Our  second  example  ratchets  up  the  complexity  of  the 
setup  involved,  both  in  technical  and  human  terms: 

CISO  Dan  Lohrmann  has  three  computers  and  two 
teenage  kids  who  live  at  home. 

And  so  he  has  more  safeguards  in  place,  including 
an  RSA  Security  SecurlD  token  required  (along  with  a 
password)  for  logging  in  to  work.  He’s  big  on  patches 
and  down  on  cookies:  he  does  not  allow  websites  to  put 
a  cookie  on  his  machine  unless  absolutely  necessary. 

Users  with  any  degree  of  complexity  should  take  a 
gander  at  Lohrmann’s  precautions,  and  anyone  with 
kids  will  appreciate  his  smart  advice  for  helping  make 
family  members  part  of  the  solution. 

THE  SETUP 

■  What  he  has:  Three  standalone  PCs,  running  either 
Windows  XP  with  Service  Pack  2  or  Windows  ME. 

All  have  Internet  Explorer. 

■  How  he  connects:  Dial-up,  due  to  his  fairly  remote 
location.  Connects  to  work  using  a  VPN  and  two- 
factor  authentication.  No  wireless. 

■  About  the  family:  In  addition  to  basics  such  as  the 
Web  and  e-mail,  the  Lohrmann  family  uses  Microsoft 
Money  and  does  some  online  banking  and  E-T rade 
transactions. 

■  How  he  handles  backups:  Symantec’s  Norton 
SystemWorks  2005  software. 

TECH  TALK 

■  Relies  on  Norton  AntiVirus  (part  of  SystemWorks) 
along  with  the  free  version  of  ZoneAlarm  personal 
firewall  software.  The  systems  are  set  up  to  check 
for  automatic  updates  on  these  products  as  well  as 
Microsoft  patches. 

■  Uses  the  spam  filter  built  into  his  ISP’s  e-mail. 

■  Runs  a  spyware  removal  tool,  Spybot  Search  & 

Destroy,  every  two  to  three  weeks. 

■  Doesn't  usually  use  a  pop-up  blocker;  says  “they’ve 
caused  more  problems  than  they've  solved.” 

■  Uses  ISP-blocking  software  to  control  his  teenagers' 

Internet  use. 

PRACTICALS 

Encryption:  He  encrypts  some  information,  including 
the  family’s  Microsoft  Money  files,  though  not  nearly  as 
much  as  he  does  on  his  work  computer. 

Passwords:  He  encourages  family  members  to  use 


32  www.csoonline.com  March  2005 


CISO  OF  A  HEALTH-CARE  COMPANY  IN  THE  MIDWEST 


alphanumeric  passwords  with  at  least  eight  characters. 
This  includes  special  characters  for  some  sites  and 
two-factor  authentication  for  work-related  sites. 

Web  hygiene:  Clears  out  cookies  and  temporary  Inter¬ 
net  files  every  two  to  three  weeks.  In  general,  he  turns 
off  cookies,  unless  he  specifically  needs  them  in  order 
to  use  a  particular  website.  As  needed,  he  customizes 
his  privacy  settings  to  not  allow  scripts  to  run. 

The  rules:  “Things  at  my  home  are  very  similar  to  what 
we  tell  employees  to  do.  We  inform  state  employees  of 
cyberrisks  through  awareness  training,  and  we  do  block 
porn  and  spyware  sites  with  SurfControl.  However,  we 
still  see  violations  of  our  security  policy,  and  we  enforce 
our  security  policies  through  HR  discipline." 

Don't  overlook:  “When  I’m  at  conferences,  I  generally 
do  not  trust  ‘shared  computers’  that  are  available  for 
e-mail  in  cybercafes.” 

THE  KID  FACTOR 

“We  watch  our  kids  when  they  surf.  Our  computers  are 
in  common  areas  like  our  kitchen.  I  encourage  my  kids 
to  ask  questions,  and  I’ve  taken  them  through  some 
basic  training  on  dos  and  don'ts.  My  daughters  chat 
only  with  known  friends  and  not  strangers  online.  I  find 
my  war  stories  from  work  have  a  big  effect  on  their 
online  behavior.  They  know  where  they  are  allowed  to 
go,  and  that’s  where  they  stay.  I  also  show  them  news¬ 
paper  articles  and  occasionally  take  them  to  security 
conferences  with  me.  They  become  ambassadors  for 
safe  online  behaviors  at  their  schools  and  with  friends." 

Do  This,  Not  That 

CISO  Dan  Lohrmann  points  to  the  state  of  Michigan’s 
IT  resources  acceptable  use  policy  as  a  guide  for  safe 
computing.  Find  it  at  www.csoonline.com/printlinks. 


Complexity  Breeds  Caution 

Our  third  CISO  has  the  most  complex  home  computing  setup  and  takes  the 
greatest  pains  to  keep  intruders  out.  He  pays  detailed  attention  to  each  family 
member’s  computing  needs  and  tailors  his  security  setup  to  allow  or  ban 
various  types  of  traffic.  His  setup  may  not  seem  practical  for  any  but  the  most 
sophisticated  computer  user.  Then  again,  anyone  who  needs  a  complex  home 
network  should  be  willing  to  invest  the  time  to  learn  how  to  secure  it. 


THE  SETUP 

■  What  he  has:  Three  desktops,  one  personal 
laptop  and  one  business  laptop.  Home  sys¬ 
tems  run  Windows  XP  Home  Edition  and 
Netscape  Web  browser. 

■  How  he  connects:  Cable  broadband.  Connects 
to  work  over  a  clientless,  SSL-protected  VPN. 
Home  network  is  principally  wired,  but  the  laptop 
connects  via  WPA-TKIP  (a  version  of  Wi-Fi 
Protected  Access  with  improved  encryption). 
Network  equipment  includes  Netgear  FR114P 
firmware  firewall  in  network  box  in  basement, 
Netgear  five-port  hub  and  a  Netgear  wireless 
access  point  with  virtual  private  network. 

■  About  the  family:  All  family  members  use  the 
computers  and  network.  They  shop  exten¬ 
sively,  bank  and  pay  bills  online.  CISO  doesn’t 
allow  instant  messaging. 

■  How  he  handles  backups:  CDs,  flash  disks, 
2GB  Iomega  Jaz  drive  disks.  Weekly  backup 
of  all  security  tool  configurations. 

TECH  TALK 

■  Uses  Spybot  Search  &  Destroy,  ZoneAlarm 
Pro,  Ad-Aware  SE  Pro,  SpyCop,  AdSubtract 
Pro,  Active  Ports,  Norton  AntiVirus  and  Inter¬ 
net  Security  suite  on  laptop. 

■  Does  extensive  tailoring  and  granular  identifi¬ 
cation  of  acceptable  traffic/activity  to  meet 
needs  of  family  members.  Default  setting  is 
“deny,”  meaning  any  type  of  Internet  traffic 
the  CISO  has  not  explicitly  OK’d  will  be 
blocked. 

■  Uses  Norton  Internet  Security  as  well  as 
Netscape's  filters  for  spam. 

PRACTICALS 

Passwords:  Uses  “temporal  time  key  dynamic 
password  for  VPN  wireless,  complex  transliter¬ 
ated  foreign  language  phrases,  more  rapid 
changing  of  security  device  passwords."  Security 
log-on  information  is  different  from  e-business 


and  work  log-on  information.  Translation:  Uses 
multiple,  complex  passwords  and  changes  them 
frequently. 

Maintenance:  Runs  antivirus  and  antispyware/ 
antiadware  programs  at  least  weekly.  System 
vulnerability  checker  runs  every  three  weeks  or 
when  updated  or  when  suspicious  activity  is 
detected.  Keeps  Netscape  and  Windows  patches 
up-to-date. 

Web  hygiene:  Cookies  filtered  to  the  maximum 
extent  possible.  Browser  set  to  not  retain  history 
of  visited  sites.  Frequent  cleansing  of  cache  and 
other  temporary  log/tracking  info  directories  is 
done  using  CyberScrub.  Does  not  return  “receipt 
requests"  on  e-mail. 

Wireless:  Uses  AirMagnet  and  MiniStumbler  to 
detect  wireless  vulnerabilities. 

Shoppers  beware:  Family  does  lots  of  Internet 
shopping,  but  only  with  widely  known  and  valid 
businesses.  CISO  logs  in  to  online  banking  via 
an  SSL  Version  3.0  browser  format,  and  checks 
bank  statements  online  for  any  unusual 
purchase  amounts. 

Don't  overlook:  Disables  the  entire  network 
when  family  goes  on  vacation. 

THE  KID  FACTOR 

“I  try  to  keep  security  as  transparent  as  possible, 
but  I  get  the  normal  grousing  about,  'Dad  is 
always  blocking  me.’  I  sit  down  and  show  them 
the  threats  facing  them  and  how  [a  security 
breach]  can  destroy  their  data.  I  find  out  how 
they  use  the  Internet  and  PCs  so  that  we  can 
work  together  to  build  a  secure  format  for  them, 
showing  them  how  to  run  each  of  the  security 
tools  and  how  to  check  their  configs  to  see  if  any 
problems  are  noticed.” 


March  2005  www.csoonline.com 


33 


To  build  an  effective 
investigative  team, 
CSOs  need  to  assemble 
the  right  mix  of  specialized 
talents.  Then  they  have 
to  cultivate  trusting 
relationships  with 
other  organizational 
leaders. 


IN  THIS  STORY:  Howto 
build  an  investigative 
team"  What  to  con¬ 
sider  when  starting  an 
inquiry  ■  Interview  tips 


BY  DAINTRY  DUFFY 


PHOTO  BY  GLENN  OAKLEY 


March  2005  www.csoonline.com  35 


Investigations 


The  managing  executives  were  concerned.  The  family-owned 
company  they  had  acquired  recently  in  a  multimillion-dollar 
deal  did  not  appear  to  be  as  profitable  as  they  had  expected. 
Threats  had  been  made  against  their  recently  installed  execu¬ 
tive  team,  and  an  employee  had  come  to  them,  in  confidence, 
with  a  startling  revelation:  I  think  you’re  being  bugged. 


On  behalf  of  the  new  ownership,  Chris  Marquet’s  investigations 
agency  dispatched  a  team  of  10  investigators  and  forensic  accountants 
to  do  a  little  digging.  The  story  they  uncovered  was  worthy  of  a  Robert 
Ludlum  potboiler. 

Under  the  purchase  agreement,  the  new  owners  agreed  that  the 
founding  family  would  remain  in  charge  of  the  company’s  day-to-day 
management.  A  covert  investigation  of  the  family  unearthed  some 
interesting  facts,  such  as  the  prior  arrest  of  one  family  member  on 
weapons  and  drug  charges. 

Even  more  disturbing,  forensic  accountants  determined  that  the 
family  had  been  using  the  company  as  their  personal  piggy  bank. 
Corporate  funds  had  financed  homes,  boats,  cars,  vacations  and  a 
number  of  other  luxury  items.  Inventories,  receivables  and  reserves 
had  all  been  misstated  to  enhance  the  value  of  the  company,  and  a 
cleverly  designed  computer  program  had  defrauded  customers  by 
overcharging  a  small  amount  on  each  transaction  at  the  point  of  sale. 
Fearful  of  discovery,  the  family  was  thought  to  be  eavesdropping  on 
the  new  management  team.  Interviews  of  current  and  former  employ¬ 
ees  yielded  a  trove  of  other  alleged  crimes  and  misdemeanors,  every¬ 
thing  from  sexual  harassment  and  discrimination  to  suspicions  of 
ties  with  organized  crime. 

“It  was  a  can  of  worms,  and  it  kept  getting  bigger,”  says  Marquet, 
executive  managing  director  and  a  founding  principal  of  Citigate 
Global  Intelligence  &  Security.  Marquet  says  the  investigation  took 
place  some  years  ago,  before  he  formed  Citigate,  and  he  declines  to 
name  his  client  and  the  subjects  of  his  inquiry.  He  says  the  five- 
month  long  investigation  culminated  in  the  firing  of  the  family  patri¬ 
arch  and  three  other  family  members,  criminal  charges  being  filed  and 
a  civil  suit,  the  outcome  of  which  enabled  the  company  to  recoup 
some  of  the  estimated  $5  million  that  it  had  overpaid  for  its  acquisi¬ 
tion.  And  in  firing  the  family,  the  company  was  no  longer  obligated 
to  pay  out  their  hefty  five-year  contracts. 

Few  CSOs  will  ever  have  to  oversee  an  investigation  of  this  mag¬ 
nitude.  Background  checks,  off-color  e-mails  and  expense  report 
cheats  will  compose  a  far  greater  percentage  of  an  investigative  team’s 
caseload  than  will  checking  out  surreptitious  eavesdropping  and 
alleged  criminal  activities.  However,  seasoned  corporate  investigators 
agree  that  regardless  of  the  size  and  scope  of  a  case,  the  core  compe¬ 
tencies  of  a  good  investigator  and  a  well-managed  investigation  are 


largely  the  same— though  by  no  means  simple  to  master. 

“It’s  an  art  form  to  be  able  to  maneuver  your  way  through  some 
cases,”  notes  Thomas  Nihill,  a  former  special  agent  for  both  the  IRS 
Criminal  Investigation  Division  and  the  U.S.  Department  of  Labor’s 
Organized  Crime  and  Racketeering  Section,  and  now  the  managing 
principal  of  Nihill  &  Riedley  forensic  accounting  firm. 

We  spoke  with  security  executives,  forensic  accountants  and  cor¬ 
porate  investigators,  and  uncovered  their  best  practices  and  tech¬ 
niques  for  building  a  strong  investigative  unit  and  for  successfully 
managing  an  investigation.  Like  any  management  skill,  CSOs  need  to 
exercise  their  communication  and  leadership  skills  with  investigators. 
Unlike  other  security  professionals,  however,  corporate  investigators 
are  a  specialized  breed,  and  assembling  a  first-rate  team  requires  cul¬ 
tivating  members  with  a  variety  of  singular  skills.  Some  need  the 
technical  savvy  to  pick  through  financial  and  computer  records.  Oth¬ 
ers  possess  a  sensitivity  to  human  behavior.  All  share  a  healthy  respect 
for  organization  and  process,  however,  and  demonstrate  the  hall¬ 
mark  trait  of  all  great  detectives:  dogged  determination. 

The  Sensitive  Side  of  Security 

Building  an  investigative  unit  is  not  like  erecting  a  new  perimeter 
fence.  It  requires  finesse  and  sensitivity.  Investigations  make  people 
nervous.  This  is  especially  true  in  the  corporate  world  where  people 
worry  about  losing  their  jobs  and  nobody  wants  to  be  responsible  for 
causing  a  fellow  employee  to  lose  his.  That  means  that  when  questions 
come  up,  it’s  important  to  understand  how  those  questions  are  per¬ 
ceived  by  the  people  who  are  giving  answers. 

This  is  true  even  in  situations  where  there’s  not  an  investigation  per 
se,  merely  a  quest  for  information.  Take  one  of  the  security  executives 
we  spoke  with,  who  once  received  a  phone  call  from  a  satellite  office 
in  South  America.  Employees  there  were  concerned  that  an  investi¬ 
gation  was  under  way  regarding  cell  phone  usage.  In  reality,  there  was 
no  investigation.  The  company  was  looking  at  ways  to  cut  costs  and 
eyeing  cell  phone  bills.  The  process  of  doing  so,  however,  stirred  con¬ 
cern  among  employees  who  feared  the  I-word.  (Employees  calmed 
down  once  they  heard  it  was  a  budget  review.) 

CSOs  with  experience  building  an  investigative  team  say  it’s  imper¬ 
ative  to  be  sensitive  to  employees’  perceptions,  as  well  as  cultural  dif¬ 
ferences  among  far-flung  employees  working  around  the  globe. 


36  www.csoonline.com  March  2005 


PHOTO  BY  STEPHEN  WEBSTER 


Investigations 


“Investigations  have  to  be  conducted  with  integrity  and  respect  for 
individuals,”  says  Ed  Casey,  chief  security  officer  at  Procter  &  Gamble. 
“You’re  making  a  judgment  about  someone’s  career,  and  that  can  cre¬ 
ate  serious  credibility  problems  for  the  security  organization  if  it’s  not 
done  properly.  There  have  been  many  occasions  where  an  employee  is 
terminated  by  a  company,  and  the  employee  has  filed  suit  and  been 
awarded  damages  because  the  process  wasn’t  right.” 

Many  investigators  come  to  the  corporate  world  from  a  career  in 
law  enforcement.  This  affords  them  an  extensive  knowledge  of  inves¬ 
tigative  techniques  but  little  experience  in  navigating  the  rocky  shoals 
of  corporate  politics.  Many  corporate  investigations  are  hobbled 
before  they  even  start  because  security  takes  an  overly  aggressive 
posture  within  the  organization.  Not  only  does  this  expose  the  com¬ 
pany  to  liability,  it  also  discourages  would-be  whistle-blowers  and 
witnesses  from  coming  forward  and  sharing  what  they  know. 

Most  frauds  are  reported  by  other  employees,  says  Carl  Pergola, 
national  director  of  FirstGlobal  Investigations,  a  division  of  BDO 
Seidman.  Pergola  says  that  “if  you  approach  employees  with  a  con¬ 
descending  or  intimidating  style,  your  first  line  of  defense  is  unavail¬ 
able  to  you.” 

“Besides,”  Pergola  adds,  “there’s  always  an  opportunity  to  intimi¬ 
date  someone  [later]  if  you  need  to.” 


Diverse  Experiences  Wanted 

Outside  of  Sherlock  Holmes’  lair  at  221B  Baker  St.,  it’s  practically 
impossible  to  find  a  single  individual  who  possesses  all  the  skills  that 
many  corporate  investigations  will  require.  The  best  approach  is  to 
build  a  team  of  investigators  with  a  broad  spectrum  of  talents  and 
experiences. 

Many  companies  hire  ex-law  enforcement  officers  for  their  years  of 
investigative  experience.  These  individuals  are  often  experts  in  inter¬ 
view  techniques  (see  “Inside  the  Interview  Room,”  opposite  page) 
and  in  documenting  and  tracking  a  case’s  progress.  Many  companies 
also  round  out  their  investigative  unit  with  experts  in  computer  foren¬ 
sics  who  can  locate  and  preserve  evidence  that  exists  within  a  com¬ 
puter  or  the  coiporate  network.  They  also  look  for  forensic  accountants 
who  have  a  keen  understanding  of  accounting  principles  and  the  par¬ 
ticular  business  processes  of  their  employer  so  that  they  can  recognize 
irregularities. 

At  Boise  Cascade,  CSO  Jim  Ashby  recalls  one  situation  where  ghost 
employees  at  several  branch  offices  were  entered  into  the  payroll  sys¬ 
tem  at  the  paper  and  construction  product  maker.  The  person  respon¬ 
sible  for  the  fraudulent  payroll  records  collected  more  than  $250,000. 

During  the  early  stages  of  an  in-house  investigation,  the  diversion 
of  money  hadn’t  seemed  possible  because  there  was  traditionally  a 


.  ■  - 


38  www.csoonline.com  March  2005 


PHOTO  BY  PER  BREIEHAGEN 


separation  of  duties  between  the  person  who  created  new  employee 
records  in  the  payroll  system  and  the  individual  who  sent  staffing 
reports  to  each  location.  But  after  the  diversion  of  money  had  gone  on 
for  some  time,  Boise  Cascade  investigators  finally  figured  out  that  one 
person  had  changed  jobs  several  times  but  had  retained  the  ability  to 
create  and  edit  new  employee  entries,  and  had  later  deleted  the  “ghosts” 
before  any  reports  could  alert  management.  Although  the  perpetrator 
and  spouse  had  already  spent  much  of  their  ill-gotten  gains  prior  to 
being  brought  to  court,  the  judge  ordered  restitution,  and  the  pair 
pleaded  guilty  to  federal  charges  and  were  sentenced  to  multiple  years 
in  prison,  Ashby  says. 

While  Ashby’s  team  had  the  skills  to  solve  that  case,  some  compa¬ 
nies  may  wish  to  outsource  some  or  all  of  their  investigations  to  a 
vendor  that  has  the  full  range  of  capabilities  instead  of  building  their 
own  unit.  This  is  especially  critical  for  companies  that  routinely  deal 
with  investigations  that  are  international  in  reach.  The  cultural  issues 
and  conflicting  legal  systems  that  come  into  play  when  dealing  with  an 
employee  or  business  partner  based  outside  the  United  States  can 
flummox  even  the  most  seasoned  investigator. 

Prior  to  joining  Kimberly-Clark,  where  he  is  a  senior  regional  secu¬ 
rity  manager,  John  Rodriguez  worked  as  an  independent  consultant 
and  participated  in  more  than  200  investigations  in  Latin  America. 
Rodriguez  suggests  looking  for  an  investigator  who  possesses  cul¬ 
tural  sensitivity.  He  points  out  that  in  some  Latin  American  countries, 
the  simple  act  of  interviewing  a  subject  in  a  closed  room  could  be 
viewed  as  illegal  detention  or  kidnapping.  In  some  pro-labor  coun¬ 
tries,  employees  have  a  lesser  threshold  of  proof  for  defamation  or 
wrongful-termination.  A  skilled  interviewer  can  neutralize  such  risks, 
Rodriguez  says. 

Whether  you  choose  to  use  an  internal  or  external  investigator, 
Rodriguez  suggests  focusing  on  one  “who  has  the  right  skill  set  for  that 
country,  and  a  holistic  understanding  and  experience  of  the  country 
and  the  region  that  he  is  going  into.” 

Those  Intangible  Qualities 

In  addition  to  learned  skills,  a  crack  investigator  possesses  some  intan¬ 
gible  qualities.  The  first  is  objectivity.  This  is  especially  important  in 
corporate  life,  where  investigations  can  reach  up  into  the  executive  suite 
or  down  among  friends  and  coworkers.  Part  of  remaining  objective  is 
ensuring  that  the  scope  of  your  investigation  isn’t  narrowed  prema¬ 
turely.  Often  the  real  problem  will  turn  out  to  be  something  different 
from  what  was  originally  suspected  or  the  first  report  will  be  just  the 
tip  of  a  larger  concern. 

“We  investigated  an  incident  where  a  worker  in  a  manufacturing 
plant  finally  came  forward  [after  months  of  intimidation]  when  a 
coworker  threatened  to  kill  him,”  says  Tim  Dimoff,  CEO  and  president 
of  SACS  Consulting.  “After  some  investigation,  it  turned  out  that  four 
more  people  had  been  threatened  by  that  same  individual  in  the  past  six 
months.”  Dimoff  says  his  company  posted  an  armed  security  guard  to 
protect  fearful  employees,  then  notified  the  worker  making  the  threats 
about  the  investigation;  the  worker  left  soon  after  and  found  another  job. 

Second,  investigators  require  an  inquisitive  mind.  “Some  people  are 
better  wired  for  this  than  others,”  says  Fabian  Campion,  manager  of 


ttelqter- 

viewRoom 

INVESTIGATORS  LEARN  TO  SEPARATE 
TRUTH-TELLERS  FROM  FICTION-SPINNERS 

Every  person  coming  into  an  investigator's  interview  is 
already  fearful,  says  Nate  Gordon,  director  and  founder 
of  The  Academy  for  Scientific  Investigative  Training  in 
Philadelphia.  When  an  interviewer  presents  himself  pro¬ 
fessionally  and  behaves  in  a  calm,  authoritative  man¬ 
ner,  a  questioning  session  separates  the  innocent  from 
the  guilty.  The  innocent  person  becomes  less  fearful, 
and  the  guilty  person’s  anxiety  increases.  Gordon,  who 
teaches  courses  on  interview  techniques,  says  experi¬ 
enced  questioners  use  many  tools  to  be  effective. 

Among  them: 

Icebreakers.  An  interview  usually  starts  with  some  ice¬ 
breaking  chitchat  unrelated  to  the  investigation.  This 
allows  the  interviewer  to  get  a  sense  of  the  subject’s 
style:  things  like  verbal  tics,  amount  of  eye  contact  and 
physical  mannerisms. 

Non-verbal  cues.  When  discussing  the  case,  the  inter¬ 
viewer  looks  for  non-verbal  behaviors.  A  deceptive  per¬ 
son  will  often  put  a  hand  to  his  eyes  or  mouth  to  obscure 
what  he’s  saying.  A  truthful  person  usually  exhibits  man¬ 
nerisms  that  clarify  what  he’s  saying,  like  touching  a 
hand  to  his  chest  and  making  eye  contact  when  stating 
his  innocence. 

Set  up  two  chairs.  Gordon  recommends  placing  two 
chairs  facing  each  other  so  that  the  interviewer  can  see 
the  subject's  entire  body  and  there's  no  object  behind 
which  a  subject  may  hide. 

Consistent  questions.  With  multiple  subjects,  the  inter¬ 
viewer  should  avoid  accusatory  questions  and  ask  each 
one  the  same  set  of  questions,  and  should  use  a  consis¬ 
tent  reading  and  writing  style.  The  questions  should 
either  be  all  read  off  paper  or  all  memorized.  Every 
response  by  the  subject  should  be  written  down. 
(Selective  recording  invites  a  subject  to  analyze  the 
interviewer’s  behavior.) 

Anyone  else  in  the  room  must  be  silent.  If  a  manager  or 
an  HR  representative  is  present,  that  person  should  sit 
behind  the  subject  and  stay  quiet.  “I  tell  them  they  can 
sit  in  under  one  condition,”  says  Gordon.  “If  they  think 
I’ve  asked  an  improper  question,  they  should  say,  'Mr. 
Gordon,  can  we  step  outside?”’  Other  than  that,  they 
have  no  input."  -D.D, 


March  2005  www.csoonline.com  39 


Investigations 


business  risk  mitigation  and  investigations  at  3M.  “An  inquisitive 
mind  means  not  taking  things  at  face  value,  not  taking  ‘no’  for  an 
answer  and  constantly  asking  why.”  Investigators  also  have  to  be  able 
to  deal  with  the  potential  consequences  of  their  job.  “I’ve  worked  with 
some  folks  who  have  such  good  analytical  skills,”  says  Boise’s  Ashby, 
“but  they  can’t  deal  with  being  the  person  who  causes  someone  to  lose 
their  job  or  be  disciplined.  They  can’t  ask  questions  knowing  that 
they’re  going  to  get  someone  in  trouble.  Not  everyone  is  cut  out  for  this.” 

Communication  skills  are  also  a  critical  capability  for  investigators. 
They  have  to  be  able  to  view  a  case  through  a  big-picture  lens  and  with 
an  attention  to  detail,  and  they  must  be  able  to  present  and  encap¬ 
sulate  their  findings  to  an  executive  audience  or  in  court  if  necessary. 
This  requires  excellent  verbal  and  written  skills  combined  with  good 
interpersonal  skills.  “You  have  to  be  able  to  not  only  articulate  find¬ 
ings  and  explain  what  you’ve  discovered,”  says  Nihill,  “but  you  have 
to  talk  to  people  involved  in  the  organization,  establish  a  relationship 
and  promote  a  good  exchange  of  information.” 

Building*  the  Right  Kind  of 
In-House  Support 

A  corporate  investigative  unit  has  four  critical  partners  in  an  investi¬ 
gation:  human  resources,  general  counsel,  internal  audit  and  the 
manager  of  the  business  involved  in  the  investigation.  Building  con¬ 
structive  relationships  with  each  of  these  groups  should  be  one  of  secu¬ 
rity’s  key  goals.  However,  it’s  not  always  easy.  Selecting  what 
information  to  share  and  when  to  share  it  is  an  ongoing  challenge. 
“The  hardest  thing  we  balance  is  determining  who  needs  to  know  and 
how  we  help  them  understand  that  they  can’t  share  that  information 


Investigators  can  manage  this  best  by  including  managers  and 
human  resources  in  the  process,  giving  them  as  much  information  as 
is  practical,  explaining  how  they  can  help  and  the  importance  of  con¬ 
fidentiality  in  preserving  the  investigation.  For  example,  in  a  sexual 
harassment  case,  security  might  wish  to  notify  a  manager  that  an 
allegation  has  been  made  of  some  inappropriate  behavior  in  his 
department  and  that  they  wall  be  conducting  interviews.  Security 
might  choose  to  withhold  the  identities  of  the  accusers  and  the  accused 
to  prevent  any  awkwardness  or  unsolicited  sleuthing. 

Involving  legal  early  and  often  is  also  a  good  rule  of  thumb.  “Our 
policy,  by  default,  is  to  have  everything  covered  under  attorney-client 
privilege,  wherever  permissible,  so  that  we  can  preserve  our  discretion 
on  how  to  proceed,”  says  Denis  Verdon,  senior  vice  president  and  head 
of  the  corporate  information  security  group  at  Fidelity  National 
Financial.  Verdon  adds  that  keeping  knowledge  of  investigations  on 
a  strict  need-to-know  basis  is  critical.  “If  information  regarding  an 
investigation  is  inappropriately  divulged,  this  may  in  some  cases  com¬ 
promise  client-attorney  privilege  and  may  become  discoverable,”  he 
says.  Fidelity  National  is  a  speciality  insurance  provider  and  is  the 
nation’s  largest  real  estate  title  insurer. 

In  addition  to  those  protections,  a  contact  in  the  legal  department 
should  be  involved  in  cases  that  include  the  potential  for  termination, 
to  prevent  creating  additional  legal  exposure.  General  counsel  should 
also  be  brought  in  early  on  any  case  where  disclosure  of  an  incident 
to  police  or  government  regulators  could  be  mandated  by  law. 

Recognizing  what  these  other  functions  bring  to  an  investigation 
and  adhering  to  strict  boundary  limits  in  security’s  role  are  critical  to 
building  a  strong  investigative  capability.  “Corporate  security  is  an 


ssss 


One  simple  rude  or  inconsiderate  act 
will  separate  you  from  the  people  who  have 
the  information  you  are  seeking. 

-JOHN  RODRIGUEZ,  SENIOR  REGIONAL  SECURITY  MANAGER,  KIMBERLY-CLARK 


without  jeopardizing  the  investigation,”  says  Ashby.  Several  CSOs 
we  spoke  with  recounted  cases  where  they  have  informed  human 
resources  of  an  impending  employee  interview  only  to  have  HR  notify 
the  employee.  In  retrospect,  most  security  executives  admit  that  this 
was  caused  by  a  lack  of  communication.  Campion  says,  “You  can  get 
too  used  to  how  you  do  [things]  and  assume  other  people  have  the 
same  knowledge,  but  when  you  set  your  expectations  up  front,  nobody 
spills  the  beans.” 

A  similar  problem  often  occurs  when  security  informs  a  business  unit 
manager  that  an  employee  or  transaction  involving  his  group  is  under 
investigation.  Often  that  manager  cannot  resist  doing  a  little  Miss 
Marple-ing  of  his  own  and  unwittingly  tips  off  the  people  involved.  It 
is  a  delicate  balancing  act.  Sharing  too  little  information  wall  lead  to 
inevitable  criticism  from  the  business,  while  too  much  can  blow  the 
investigation. 


independent  group.  That’s  what  makes  us  good  investigators,”  says 
Campion.  “HR  tends  to  be  viewed  as  employee  advocates,  and  legal 
is  concerned  with  risk.  We’re  not  out  to  get  employees,  but  we’re  not 
their  advocates  either.  We  weigh  in  as  an  equal  partner  at  the  table, 
but  the  decision  of  whether  somebody  is  hired  or  fired  is  not  made  by 
corporate  security.” 

Though  security  should  not  make  any  punitive  decisions,  they 
can  be  instrumental  in  preventing  one  of  the  frequent  pitfalls  of  an 
investigation:  unequal  treatment.  At  Boise  Cascade,  Ashby  stresses 
the  importance  of  having  senior  management  and  counsel  sit  down 
and  work  out  what  the  policy  of  the  corporation  will  be  toward  dif¬ 
ferent  infractions  so  that  security  can  approach  each  case  in  a  uni¬ 
form  manner.  “I  strive  to  make  sure  that  we  don’t  fall  into  the  trap 
of  every  case  being  treated  differently  based  on  how  well  management 
likes  or  doesn’t  like  that  employee,”  says  Ashby.  “It’s  difficult  to  get 


40  www.csoonline.com  March  2005 


everybody  on  board,  but  there  has  to  be  a  definitive  agreement  that 
this  will  be  the  criteria  [for  prosecution  or  dismissal],  and  it  doesn’t 
matter  who  you  are.” 

Develop  a  Flexible  Process 

The  CSO’s  role  in  an  investigation  is  to  be  the  navigator.  He  sets  the 
direction  that  the  investigators  should  follow  and  checks  in  frequently 
to  recheck  their  course.  The  first  24  to  48  hours  of  a  case  are  critical, 
and  in  order  to  hit  the  ground  running,  the  investigative  team  needs 
a  process  that  is  rigorous  enough  to  make  maximum  use  of  that  early 
window  but  flexible  enough  to  ensure  that  the  investigation  is  not 
unduly  restricted.  The  first  few  days  of  an  investigation  are  especially 
important  in  cases  where  law  enforcement  or  a  regulatory  agency  is 
likely  to  get  involved.  “Once  you  go  to  the  U.S.  attorney  or  a  regula¬ 
tory  agency,  that  limits  what  you  can  do  on  your  own,”  says  Nihill.  “If 
somebody  embezzled  money  or  has  gotten  kickbacks  from  contracts, 
you  should  do  as  much  as  you  can  before  the  perp  can  get  counsel.  A 
lawyer  won’t  let  them  talk,  but  [if  you  get  to  them  early]  you  might 
get  a  confession.” 

The  CSO  and  lead  investigator  should  meet  early  to  outline  a 
game  plan  for  the  investigation.  This  will  include  a  discussion  of 
the  resources— both  technical  and  manpower— that  the  investigation 
will  likely  require  and  some  initial  goals.  “We  talk  about  what  we  have 
and  where  we  think  this  is  going  to  take  us,”  says  Campion.  “Even  if 
it’s  a  small  case,  we  lay  down  those  road  markers.”  At  3M,  the  inves¬ 
tigative  unit  has  also  found  that  by  reaching  out  to  the  business  unit 
early,  it  buys  them  goodwill  and  assistance  when  they  need  it.  “It’s 
best  to  meet  or  communicate  with  that  division’s  vice  president 
because  not  only  can  we  get  additional  perspective,  it  buys  corporate 
security  the  support  it  needs  to  do  its  job.  So  we’re  never  in  the  posi¬ 
tion  of  being  the  snoopers.” 

As  an  investigation  unfolds,  the  lead  investigator  should  report  to 
security  executives  at  frequent  intervals  to  assess  their  progress  and 
refocus  and  amend  the  operation  if  necessary.  At  3M,  the  investiga¬ 
tive  unit  has  a  process  called  case  review.  Every  other  week  the  inves¬ 
tigative  teams  gather  around  a  table  for  an  hour  to  discuss  the  cases 
they’re  working  on.  “This  is  not  to  show  how  busy  we  all  are,”  says 
Campion.  “It’s  a  chance  to  throw  out  what  we’re  working  on,  leverage 
the  talent  and  expertise  of  the  team,  and  draw  out  some  new  ideas  and 
approaches.” 

After  an  investigation  is  concluded,  it’s  also  important  to  ensure  that 
the  business  leaders  involved  are  apprised  of  the  findings  so  that  they 
don’t  come  back  six  months  later  wondering  what  happened  to  the 
investigation.  This  is  an  area  where  many  investigative  teams  lose  a 
lot  of  goodwill.  At  3M,  investigators  typically  wrap  up  each  case  with 
a  formal  findings  meeting.  They  also  cherry-pick  their  biggest  cases 
and  every  quarter  issue  a  report  to  senior  management  that  includes 
a  short  paragraph  about  each  case  and  what’s  been  done  to  resolve  it. 

Whether  a  company  decides  to  go  public  with  the  results  of  an 
investigation  is  another  matter.  The  CSO  and  senior  management 
have  to  weigh  the  potential  downside  of  pressing  charges:  the  expense 
and,  in  some  cases,  the  potential  damage  to  the  company’s  reputation. 
But  there  are  often  benefits.  If  money  was  stolen,  for  example,  resti- 


The  following  is  a  selection  of  groups  that  offer  conferences, 
information-sharing  and  training  for  investigators. 


The  High  Technology  Crime  Investigation  Association 

A  professional  association  for  investigators  using  information 
technologies.  Its  newsletter  includes  tips  on  computer  forensics 
and  other  investigative  techniques,  www.htcia.org 

International  Association  of  Financial  Crimes  Investigators 

A  professional  group  formed  in  1968  that  provides  training  for 
investigators  fighting  financial  fraud. 

www.iafci.org 

The  Government  Accountability  Office 

Publishes  an  online  "Investigators  Guide  to  Sources  of  Informa¬ 
tion”  as  a  tool  for  finding  information  about  people,  property, 
business,  and  finance,  www.gao.gov/special.pubs/soi.htm 

The  California  Financial  Crimes  Investigators  Association 

Established  in  1951,  is  a  group  of  investigators  from  both  the 
public  and  private  sectors  who  pursue  financial  crimes. 

The  group  holds  an  annual  training  conference  in  the  state. 

www.cfcia.info 


tution  might  be  a  possibility.  Elaine  Wood,  a  managing  director  with 
Kroll,  recently  led  a  forensic  audit  to  trace  $13  million  that  had  been 
stolen  by  an  employee  of  a  New  York  money  management  firm.  The 
company  was  able  to  recover  more  than  $5  million  in  assets.  Going 
public  can  also  discourage  other  would-be  offenders  from  attempting 
the  same  crime.  However,  sometimes  the  only  benefit  is  to  the  pub¬ 
lic  good,  and  even  that  is  no  small  thing. 

A  few  years  ago,  Marquet  worked  on  a  case  where  he  was  tasked 
with  vetting  a  CFO  candidate  for  a  public  company.  In  investigating 
his  background,  Marquet  discovered  that  a  previous  employer  had 
fired  him  for  misappropriating  corporate  hinds.  Because  the  previous 
employer  had  brought  civil  charges,  Marquet  was  able  to  find  out  what 
had  happened  and  prevent  his  client  from  making  a  potentially  dis¬ 
astrous  mistake.  “I  think  it’s  incumbent  on  companies  to  go  after 
individuals  who  do  [such]  acts  and  bring  it  to  light,”  says  Marquet,  “so 
that  they  won’t  get  into  a  position  of  trust  again.”  ■ 

Daintry  Duffy  is  a  freelance  writer  based  in  Southborough,  Mass.  E-mail  your  comments  to 
Managing  Editor  Michael  Goldberg  at  mgoldbergt  cxo.com. 


Background  Dos  and  Don’ts 


Performing  background  checks  on  employees  may  seem  routine,  but  you  could  get  into 
trouble  if  you’re  not  careful  about  them.  Read  “Bad  Checks"  from  the  August  2004  issue 
to  learn  how  to  get  them  right.  Go  to  www.csoonline.com/printlinks. 


March  2005  www.csoonline.com  41 


" 


.'.w'r 


W’>V  ,/  '•  -'Jr:-  » 

■?■"  ,■■•.■<  /..  Y-V/J- 

•  ■'  ■  ■  Vr-iJ&fr 


°m  ? 


Much  ink  has 
been  spilled  over 
the  vulnerabilities 
created  by  running 
voice  traffic  over 
data  networks. 
But  smart  CSOs 
are,  in  fact,  going 
to  use  voice  over 
IP— and  similar 
forthcoming 
technologies— 
to  their  benefit, 

BY  FRED  HAPGOOD 


IN  THIS  STORY:  How  to  use  voice- 
over-IP  technology  to  aid  security  and 
safety  ■  Why  VoIP  is  the  vanguard  of 
significant  changes  in  networking 


WHEN  BERNALILLO  COUNTY  IN  NEW 

Mexico— home  of  the  state  capital,  Albu¬ 
querque-committed  to  a  new  courthouse, 
the  designers  naturally  wanted  to  build  the 
most  secure  facility  possible.  But  for  court¬ 
houses,  security  is  defined  as  including  both 
the  integrity  of  the  physical  structure  (the 
assault  on  the  Murrah  Federal  Building  in 
Oklahoma  City  has  made  structural  robust¬ 
ness  a  must-have  feature)  and  the  reliability 
of  the  personnel  mobilization  system.  Unfor¬ 
tunately,  it  wasn’t  clear  that  Bernalillo 
County  could  have  both. 

Improving  mobilization  meant  establish¬ 
ing  a  guaranteed  connection  to  security 
personnel,  one  that  could  not  be  cu-t  and  one 
in  which  calls  always  reached  the  intended 
person  quickly.  Improving  physical  security 
meant  lots  of  metal  and  concrete.  Portable 
phones  were  an  attractive  and  probably 
essential  solution  for  the  mobilization 
problem.  But  the  materials  used  to  solve 
the  physical  security  issue  played  havoc 
with  the  frequencies  used  by  wireless 


, .  1  i 

•  ..  *i  ?■',  .  ••  1  -  •  ,v  •.V  » 

.  iV  r  m"  V:'  :  I  :  '  •'  • 

‘  -  '-r  '  ■  ■.  V  / 

.  V  •  *  '  v  !  .  •  . 

b  b _ 


phones,  causing  missed  or  dropped  calls. 

The  designers  found  a  way  of  reconciling 
this  conflict  with  a  new  technology  called 
voice  over  wireless  IP— sending  telephony 
over  a  wireless  local  area  network  (LAN). 
Since  wireless  routers  are  cheap  (relative 
to  configuring  wired  networks),  they  were 
able  to  position  a  new  access  point  any¬ 
where  the  physical  structure  imposed  an 
interference  problem.  After  some  experi¬ 
mentation  ("Can  you  hear  me  now?’’),  they 
arrived  at  a  communications  system  that 
was  both  seamless  and  ubiquitous,  without 
having  to  sacrifice  the  robustness  of  the 
building  itself.  And  according  to  Paul 
Roybal,  CIO  of  the  Metro  Court,  the  system 
is  also  used  to  support  the  “telepresence” 
of  defendants  at  routine  court  hearings, 
thus  increasing  security  by  reducing 
transportation  requirements  as  well. 

When  VoIP  (not  just  the  wireless  kind) 
first  became  a  leading  enterprise  technology 
fad,  many  security  professionals  refused 

even  to  let  the  technology  through  the  front 

.  . 


ILLUSTRATION  BY  MATTHEW  BANDSUCH 


.  '.VVV/Vl' 


V/,  ^  ”  ‘  •>  ‘ 

.V-d’V'V  \  '<■'  "  1  .. 

,  V  '  :  —  . 

i  :  '  ■'  ,  •'  i  ■■  .  ■ 


March  2005  www.csoonline.com  43 


Voice  Over  IP 


door.  From  a  security  point  of  view,  there  was 
not  that  much  wrong  with  plain  old  telephone 
service  (POTS).  Moving  telephony  onto  the 
network  would  just  make  the  application  vul¬ 
nerable  to  the  usual  network  threats:  viruses, 
worms,  spam.  And  VoIP  vendors  kept  hyping 
the  technology  as  the  poster  boy  for  “conver¬ 
gence,”  which  to  a  network  security  person  is 
just  a  fancy  word  for  “single  point  of  failure” 
or  “putting  all  your  eggs  in  one  basket.” 

However,  smart  use  of  encryption  and 
redundancy  can  go  a  long  way  toward  mitigat¬ 
ing  those  risks— more  on  that  later.  More  sig¬ 
nificant,  the  Bernalillo  Metro  Court  illustrates 
the  beginning  of  a  more  advanced  develop¬ 
ment:  using  VoIP  as  a  tool  to  further  the  secu¬ 
rity  agenda,  instead  of  complicating  it. 

Boon,  Not  Bane 

The  potential  is  clearly  there.  The  freedom  to 
move  phones  freely  and  flexibly  around  a  build¬ 
ing  without  calling  a  contractor  is  as  good  for 
a  CSO  as  it  is  for  a  CIO.  At  least  in  theory, 
VoIP  simplifies  the  management  of  many  pro¬ 
security  tricks— such  as  encrypting  both  the 
message  and  the  address;  logging  a  long  list  of 
usage  details;  utilizing  fine-grained  resource 
assignments  (according  to  Roybal,  the  Metro 
Court  installation  can  assign  communications 
from  jurors,  lawyers,  judges  and  security  per¬ 
sonnel  to  different  traffic  priority  levels);  and 
last  but  not  least,  tightly  integrating  with  the 
rest  of  the  security  infrastructure— from  a  point 
that  can  be  both  centralized  and  mobile.  Since 
legal  decisions  have  held  that  companies  own 
the  data  on  their  IP  networks,  it  is  probably 
even  allowable  to  record  all  VoIP  traffic  for  use 
in  future  investigations. 

It  is  not  unusual  for  high-security  installa¬ 
tions  to  ban  cell  phones,  usually  out  of  con¬ 
cerns  over  eavesdropping  and  the  risk  that 
pictures  will  be  taken  where  they  shouldn’t. 
This  is  another  trade-off  that’s  good  for  security 
but  a  burden  to  employees  and  visitors.  Patrick 
Ravenel,  senior  vice  president  of  engineering 
and  operations  at  security  services  company 
PreventSys,  says  some  of  his  clients  are  begin¬ 
ning  to  give  visitors  wireless  “push  to  talk”  VoIP 
walkie-talkies  that  communicate  only  within 
authorized  personnel  categories  or  VoIP 
phones  that  are  configured  to  turn  off  auto¬ 
matically  when  carried  into  sensitive  areas. 

Indeed,  some  analysts  think  that  eventually 


security  is  going  to  evolve  into  one  of  the  show¬ 
case  applications  for  VoIP.  “Up  til  now,”  says 
John  Moss,  CEO  of  S2  Security,  a  physical  secu¬ 
rity  services  provider,  “remote  security  has  been 
confined  to  monitoring.”  Security  officers  sat  at 
desks  and  watched  banks  of  TV  displays.  If 
something  interesting  appeared  on  a  screen, 
they  had  to  find  someone  near  the  scene,  call 
him,  describe  the  problem  and  tell  him  to  go 
check  it  out.  Moss  points  out  that,  by  far,  the 
largest  fraction  of  these  incidents  could  have 
been  resolved  on  the  spot  if  the  officer  looking 
at  the  remote  location  had  been  able  to  have  a 
brief  conversation  with  whomever  was  there. 


Perhaps  a  perfectly  innocent  visitor  was  wan¬ 
dering  around  lost,  or  the  card  reader  was 
beginning  to  fail,  or  an  employee  had  lost  his  or 
her  access  card,  or  someone  was  failing  to  use 
the  access  devices  properly. 

Some  high-security  companies  do,  in  fact, 
install  intercoms  at  every  surveillance  point. 
But  until  now,  the  cost  of  special  (and  often 
proprietary)  wiring  has  made  that  degree  of 
flexibility  and  ubiquitousness  prohibitively  ex¬ 
pensive  for  most  users.  The  low  marginal  costs 
of  VoIP— any  given  VoIP  signal  adds  only  a  few 
kilobits  to  network  traffic— make  such  cover¬ 
age  more  practical.  It  gives  remote  security 
much  of  the  flexibility  of  having  an  officer  phys¬ 
ically  on  the  scene. 

The  favorable  economics  make  it  possible 
to  leave  these  intercoms  on  24/7,  essentially 
adding  audio  monitoring  to  the  security  toolkit. 
This  is  a  nice  extra:  Even  pan-tilt-zoomable 
cameras  essentially  only  look  in  one  direction  at 
any  given  moment;  audio,  on  the  other  hand, 
senses  in  three  dimensions  and  360  degrees 
simultaneously.  Up  til  now,  if  a  person  in  a  pro¬ 
tected  environment  wanted  to  attract  the  atten¬ 
tion  of  security,  he  had  two  options:  One  was  to 
find  a  camera,  wave  and  hope  the  officer  on 
the  other  end  was  looking;  the  other  was  to 
scan  the  scene  for  an  intercom,  run  to  it  and 


press  the  call  button.  In  many  circumstances, 
neither  of  those  processes  is  ideal.  Placing  inter¬ 
coms  throughout  a  secured  zone  allows  people 
to  get  through  to  security  with  a  simple  shout, 
wherever  they  are. 

Audio  monitoring  also  allows  a  more  intel¬ 
ligent  filtering  of  video  monitor  output.  Many 
security  incidents  come  with  characteristic 
noises— a  shout,  the  sound  of  breaking  glass, 
metal  striking  metal.  An  officer  watching  a 
bank  of  dumb  monitors  won’t  always  be  look¬ 
ing  at  the  right  screen  at  the  right  time.  He 
might  be  turned  around,  looking  at  none  of 
them.  A  shout  will  always  get  his  attention. 


And  a  quick  glance  at  the  screen  farthest  to  the 
right,  where  the  audio  signal  needle  is,  should 
focus  his  attention  where  it  needs  to  be. 

Since  VoIP  connections  can  be  controlled 
from  anywhere,  the  officer  on  duty  can  con¬ 
duct  patrols  or  investigate  situations  personally 
without  ever  being  out  of  touch.  VoIP  streams 
can  be  copied  to  any  address  with  no  loss  of 
quality,  which  makes  it  easy  for  an  officer  in 
location  A  to  ask  a  colleague  in  location  B  for  his 
opinion— even  if  location  B  is  1,000  miles  away. 
(There  are  downsides  to  this  access— such  as 
being  pestered  by  people  who  want  to  know 
where  their  car  is.  Moss  also  cautions  that 
privacy  concerns  will  inhibit  the  use  of  audio 
surveillance  in  some  cases.) 

Finally,  while  vendors  might  talk  up  “con¬ 
vergence”  to  CIOs  (in  this  case,  meaning  the 
confluence  of  multiple  types  of  data  over  a  sin¬ 
gle  wire),  VoIP  turns  out  be  more  of  a  “redun¬ 
dancy”  technology  in  actual  practice,  which 
automatically  makes  it  more  interesting  to 
CSOs.  There  is  nothing  about  the  technology 
that  compels  an  enterprise  to  toss  out  all  its 
landlines,  and  from  a  security  perspective,  there 
are  plenty  of  reasons  not  to  do  so.  Landlines 
have  their  own  power  sources,  work  with  911 
(VoIP  does  not— at  least,  not  yet)  and  are  oblig¬ 
atory  elements  in  a  huge  installed  network  of 


The  favorable  economics  make 
it  possible  to  leave  VoIP  intercoms 
on  24/7,  essentially  adding  audio 
monitoring  to  the  security  toolkit. 


44  www.csoonline.com  March  2005 


fire  department  and  alarm  company  services, 
elevators  and  fax  lines.  POTS  is  there  when  an 
idiot  with  a  backhoe  cuts  the  LAN  fiber;  VoIP 
is  there  when  a  hurricane  takes  out  the  landline 
network.  Further,  once  VoIP  is  in  place,  it  is 
easy  to  run  a  wireless  system  on  top  of  that  (as 
the  Bernalillo  Court  does).  The  technology 
permits  a  CSO  to  build  a  layered  communica¬ 
tions  infrastructure  of  landlines,  wired  and 
wireless  (lasers,  microwaves)  VoIP  and  cell 
phones,  which  makes  communications  almost 
impossible  to  interrupt  or  deny— no  matter 
what  happens. 

Still,  it  is  true  enough  that  the  technology  is 
vulnerable  to  network  disorders.  (Though,  it 
might  be  noted  that  one  security  problem  VoIP 
doesn’t  present  in  acute  form  is  simple  theft, 
since  voice  uses  so  few  resources.  But  the  con¬ 
cern  is  noTzero;  there  is  traffic  in  pilfered  VoIP 
phone  numbers.)  This  is  a  real-time  technology 
that  requires  veiy  low  latencies  (latency  here 
refers  to  the  time  required  to  receive  a  response 
to  a  transmission)  to  be  useful.  Even  a  modest 
denial-of-service  attack— one  that  you  would 
never  notice  in  the  course  of  conventional  file 
requests— can  make  voice  unusable. 

Phones  are  unlike  other  network  apps;  peo¬ 
ple  are  not  interested  in  entering  user  names 
and  passwords  every  time  they  answer  a  call, 
which  means  finding  other  ways  of  negotiating 
authorization.  Finally,  again  unlike  most  cur¬ 
rent  network  applications,  a  given  VoIP  con¬ 
versation  flows  across  many  kinds  of  systems, 
including  local  LAN  environments,  all  the  fla¬ 
vors  of  Internet  telephony  in  the  world  and 
POTS.  And  every  time  a  packet  crosses  from 
one  system  to  another,  it  runs  a  risk. 

All  this  might  add  up  to  a  case  for  giving 
VoIP  a  pass,  but  there  are  counterarguments. 
First,  many  of  the  security  issues  raised  by 
VoIP  security  are  not  new  and  can  be  handled 
by  simple  security  upgrades  familiar  from  the 
world  of  virtual  private  networks— such  as 
extending  the  domain  of  encryption  (including 
the  encryption  of  routing  information);  impos¬ 
ing  per-user  authentication;  regulating  con¬ 
nection  attempts  with  denial-of-service  attack 
monitors;  and  supporting  as  many  levels  of 
redundancy  as  possible,  down  to  and  including 
fan,  power  and  feed  redundancies.  Further¬ 
more,  the  new  issues  that  do  arise  will  proba¬ 
bly  have  to  be  addressed  whether  or  not  you 
install  VoIP. 


The  Broader  Implications  of  VoIP 

Many  analysts  think  the  Internet  is  going 
through  a  change  every  bit  as  profound  as  the 
transition  in  the  mid-’90s,  when  it  went  from 
an  academic,  research  tool  to  the  present  mass 
medium.  In  this  case,  the  change  is  from  a  rel¬ 
atively  homogeneous,  wired  operating  envi¬ 
ronment  in  which  hundreds  of  millions  of 


Fuzzy  Math 

Despite  voice  over  IP’s  status  as  one  of 


the  hot  information  technology  topics 
in  the  past  couple  of  years,  the  actual 
adoption  rate  seems  to  be  a  bit  on  the 
careful  side. 

■  In-Stat/MDR  reports  that  the  percentage 
of  companies  using  VoIP  grew  from  3%  in 
2003  to  12%  in  2004,  with  “substantially 
higher  rates"  of  growth  among  large 
businesses. 

■  Insight  Research  predicts  that  installed 
VoIP  private  branch  exchanges  (PBXs) 
will  outnumber  installed,  conventional 
PBXs  after  2009. 

■  Nemertes  Research  finds  that  VoIP  costs 
“vary  wildly,”  with  initial  deployment  costs 
ranging  from  $515  to  $1,512  per  user. 


phones,  loudspeakers,  photocells,  meters  and 
counters,  alarms,  biometric  devices,  signs,  and 
radio  frequency  identification  tags  for  loca¬ 
tions,  vehicles  and  security-related  inventory 
such  as  firearms.  Ravenel’s  walkie-talkies  and 
Moss’s  intercoms  illustrate  the  trend. 

This  new  Internet  is  going  to  require  new 
thinking  about  security.  For  instance,  since 
devices  are  inherently  dumb,  authentication 
will  probably  have  to  stop  relying  exclusively  on 
end-based,  challenge-and-response  solutions— 
such  as  typing  in  passwords— and  look  to  sup¬ 
plementary  technologies  that  live  in  the 
network.  One  might  be  device  monitoring;  the 
network  will  measure  the  behavior  of  each 
device  against  its  operating  history  and  differ¬ 


ent  policy  constraints  as  defined  by  the  CSO.  So, 
for  instance,  if  the  printer  starts  doing  some¬ 
thing  novel,  alarms  will  ring. 

Not  many  dogmas  run  deeper  than  the  one 
about  how  the  Internet  destroys  locality.  John 
Roese,  CTO  of  Enterasys  Networks,  thinks 
locality  is  coming  back  big  time,  but  as  an 
authentication  and  authorization  technique. 
Your  laptop  will  gain  access  rights  of  Type  A 
when  it  is  detected  in  Room  100  and  will  lose 
them  when  it  is  taken  out  of  that  room.  Roese 
thinks  that  even  wireless  devices  (whose  loca¬ 
tions  would  be  determined  by  access  points  tri¬ 
angulating  signals  or  by  planting  address 
transponders  into  walls)  will  end  up  being  con¬ 
trolled  the  same  way.  Another  example  he  gives 
of  the  changes  that  will  be  required  in  security 
practices  is  remediation  management.  Right 
nowr,  when  a  network  has  a  problem— such  as 
a  virus  infection— it’s  shut  down  til  all  the  nodes 
are  cleaned.  When  the  network  is  running  the 
phones  in  addition  to  the  elevators,  the  A/C, 
and  the  microwaves,  you  are  going  to  have  to  be 
more  careful  about  what  you  shut  down. 

In  other  words,  VoIP  is  just  the  point  tech¬ 
nology  of  a  broad-based  revolution  in  net¬ 
working  that  is  coming  regardless  of  how 
deeply  an  enterprise  buys  into  this  or  that 
telephony  system.  This  revolution  is  probably 
going  to  require  an  across-the-board  reap¬ 
praisal  of  security  practices  and  their  relation  to 
everyday  operating  procedures. 

As  a  rule,  sentences  like  that  last  one  make 
CSOs  wince,  since  typically,  they  get  very  little 
support  in  an  organization  for  radical  rewriting 
of  security  policies.  VoIP  might  be  different; 
when  phone  calls  move  onto  the  network  and 
the  “dial-tone  reliability”  of,  well,  dial  tones 
themselves  are  threatened,  people  might  be 
willing  to  take  security  more  seriously.  If  they 
do,  that  will  be  the  most  important  contribution 
of  all  that  VoIP  technology  can  make  to  the 
profession.  ■ 

Fred  Hapgood  is  a  freelance  writer  based  in  Cambridge, 
Mass.  Send  feedback  to  Editor  Oerek  Slater  at  dslater # 
cxo.com. 


Security  Without  Wires 

'V  •  ■  '  • ' 

Dan  Meacham,  security  information  officer  for  Baylor 

Health  Care  System,  talks  about  securing  wireless 
networks.  Go  to  www.csoonline.com/printlinks. 


March  2005  www.csoonline.com  45 


IN  THIS  STORY:  Key 

differences  in  LI..S. 
versus  U.K.  security 
tactics,  governance 
and  regulations 


March  2005  www.csoonline.com 


BY  MALCOLM  WHEATLEY 


Brits  handle  security  differently  than  do  the 
Yanks.  Understanding  why  and  how  c^ji 
help  give  both  sides  new  ideas. 


the  Pond 


PHOTO  LEFT  BY  PATRICK  BARTH;  RIGHT  BY  GETTY  IMAGES 


Global  Security 


“Two  countries,  separated  by  a  common  language”  was  the 
conclusion  that  British  Prime  Minister  Winston  Churchill 
reached  after  working  with  America  to  defeat  Hitler  s  Ger¬ 
many  during  WWII.  Brits  do  things  one  way,  Americans 


often  another  way— each  for  their  own  very  good  reasons. 

And  it’s  a  distinction  that  holds  true  in  the  world  of  security 
too.  “Some  of  the  differences  between  the  U.K.  and  the  U.S.  still 
strike  me  forcefully,”  notes  Richard  Starnes,  an  American  infor¬ 
mation  security  professional  who  has  been  in  England  for  five 
years,  currently  serving  as  president  of  the  U.K.  chapter  of  the 
Information  Systems  Security  Association  and  as  director  of 
incident  response  at  telecommunications  company  Cable  and 
Wireless.  Time  and  again,  Starnes  says,  he  sees  Americans  fall 
foul  of  the  assumption  that  security  policies  and  practices 
designed  for  organizations  within  the  United  States  will  be  cul¬ 
turally  and  legally  acceptable  in  the  United  Kingdom  and  other 
European  countries.  It  is,  he  says,  “not  an  assumption  that’s 
valid.”  The  bottom  line:  What  works  well  in  Los  Angeles  may  not 
work  at  all  in  Leeds  or  Liverpool. 

Why  not?  Simply  put,  on  any  one  of  a  number  of  axes— cul¬ 
turally,  regulatory,  organizationally,  historically  and  geograph¬ 
ically— Churchill  was  right.  Britain  and  America  are  very 
different.  For  example,  the  United  Kingdom  has  a  decades-long 
head  start  on  preventing  terrorist  attacks.  Yet  while  U.S.  busi¬ 
nesses  may  have  built  less  antiterrorism  capability,  security  at  the 
moment  may  have  higher  organizational  standing  at  U.S.  busi¬ 
nesses  in  the  receding  wake  of  9/11.  For  the  CSO,  the  time 
required  to  understand  this  and  other  differences,  and  their 
ramifications  for  corporate  security  leadership,  is  time  worth 
investing  for  two  reasons.  First,  American-headquartered  com¬ 
panies  with  operations  in  Britain  have  an  obvious  need  to  know. 
Second,  even  companies  operating  solely  in  the  United  States  can 
learn  a  trick  or  two  from  best  practices  of  their  counterparts 
across  the  Atlantic.  From  differences  in  detail  right  through  to 
the  big  strategic  picture  (more  on  that  later),  there’s  value  in  the 
English  point  of  view. 

Elbow  Room 

On  the  tactical  end  of  the  scale,  take  the  differences  stemming 
from  the  physical,  human  and  environmental  geography  of  the 
country  itself.  Britain’s  mild  climate  and  benign  geology  mean 
that  its  security  professionals  are  sometimes  taken  aback  at  their 
American  counterparts’  sanguine  approach  to  data  centers  located 
on  earthquake  fault  lines  or  in  “Tornado  Alley,”  says  Jason 


Creasey,  head  of  projects  at  the  London  offices  of  the  Information 
Security  Forum  International,  which  counts  corporate  giants 
such  as  Boeing,  Procter  &  Gamble  and  Citibank  among  its  260 
members.  “To  British  eyes,  it  seems  strange,”  he  says. 

Boston-headquartered  records  storage  company  Iron  Moun¬ 
tain,  which  counts  80  percent  of  Britain’s  largest  companies  as 
customers,  as  well  as  a  number  of  British  government  depart¬ 
ments,  also  sees  security-related  differences  between  Britain  and 
the  United  States,  says  its  European  Construction  Director 
Stephen  Newell.  Iron  Mountain’s  facilities  in  the  United  States, 
he  notes,  are  generally  located  in  sparsely  populated  areas.  In 
Britain— and  especially  in  its  cramped  and  congested  southeast 
region,  around  London— that’s  not  an  option.  Consequently,  at 
the  document  storage  sites  that  Newell  constructs  and  equips, 
“There’s  a  much  greater  emphasis  on  perimeter  security  than  in 
the  U.S.,”  he  explains.  His  American  counterparts,  it  seems,  place 
their  emphasis  on  securing  the  building.  In  contrast,  Newell  sees 
a  secure  building  as  a  second  line  of  defense,  not  a  primary  one. 
One  particular  Iron  Mountain  site  in  southeast  London— which, 
he  says,  at  240,000  square  feet  comprises  Europe’s  largest  pur¬ 
pose-built  records  management  office— “would  probably  be  sub¬ 
ject  to  fly-tipping  [illicit  garbage  dumping]”  or  invasion  by 
squatters  if  the  company  didn’t  secure  the  perimeter.  So  it  is 
secured  indeed,  with  proximity-triggered  2.4-meter  palisade 
gates,  a  full-color  digital  CCTV  system  and  beam  detectors  that 
immediately  direct  the  CCTV  cameras  toward  any  point  where  the 
system  is  triggered— all  conforming  to  BS  EN  50133-1,  the  British 
standard  for  access  control  systems  used  in  security  applications. 

But  Britain’s  population  density  isn’t  always  a  drawback.  Ask 
Bruce  Larson,  security  director  at  Voorhees,  NJ.-based  Amer¬ 
ican  Water,  the  United  States’s  largest  investor-owned  water 
resource.  American  Water,  it  turns  out,  is  managed  by  Britain’s 
RWE  Thames,  a  utility  company  with  global  ambitions,  and 
Larson— whose  purview  includes  both  physical  and  informa¬ 
tion  security— has  spent  the  past  three  years  coordinating  RWE 
Thames’s  global  security  programs,  as  well  as  managing  U.S. 
security  for  American  Water.  British  security  executives,  notes 
Larson,  have  one  luxury  not  always  afforded  their  American 
counterparts:  If  they  work  for  a  geographically  compact  organ¬ 
ization,  they  have  the  ability  to  stay  much  more  closely  in  touch 
with  their  grassroots-level  staff,  and  the  facilities  that  they  secure, 


48  www.csoonline.com  March  2005 


'*****»»  mnm 


“'“’''W'VWWW,* 


J00 


-*■■1] 


V3*«s^^4ite,! 


“""“a**** . 


sfii^15 


immmmf 


fcwnffrttefc 


^^Wiptse^, 


SWIte 

,’^f^l6«J;v.)j|ri;:F* 


.  «v.)«flfo,r 


4$p(f* 


■fe  ^ora. 


V^  -  ■;- 


•O 


«*V** 

i  ,  — 

Hh.' 


BILL  PEPPER, 
director  of  security 
risk  management  at 
Computer  Sciences 
Corp.’s  British 
headquarters,  cut 
security  expenses  by 
5%  by  combining 
corporate  and 
information  security. 


than  their  counterparts  in  the  United  States. 

“In  the  U.K.,  you  can  easily  drive  around  every  facility,  if  you 
want.  You  can  call  everyone  together  and  brief  them.  Or  carry  out 
an  audit.  Support  is  not  only  much  easier  in  a  compact  geogra¬ 
phy,  but  also  you  need  proportionately  fewer  staff  than  you  do 
in  large  geographies,”  Larson  says. 

Ireland’s  Legacy 

But  the  biggest  eye-opener  in  Larson’s  three-year  stint  has  been 
his  recognition  of  the  United  Kingdom’s  far  greater  exposure  to 
terrorism,  thanks  to  the  Irish  separatist  movement.  Until  a 
recent  cease-fire,  mainland  Britain  regularly  experienced  ter¬ 
rorist  atrocities,  usually  at  the  hands  of  the  Irish  Republican 
Army  or  its  splinter  groups.  “The  U.K.  has  had  20  years  of  deal¬ 
ing  with  terrorism  within  its  borders  and  so  has  had  a  long  time 


to  consider  what  constitutes  critical  infrastructure  and  how  it 
might  be  protected,”  says  Larson. 

It’s  not  just  that  U.K.  security  procedures  are  more  likely  to 
have  the  resilience  that  comes  from  being  battle-honed,  accord¬ 
ing  to  Larson,  but  also  the  severity  and  duration  of  the  threat  has 
produced  a  more  mature  mind-set.  “Government  and  industry 
are  much  more  integrated  in  terms  of  formulating  a  response: 
The  U.K.  government  has  recognized  the  cost  of  poor  security  to 
its  economy  and  infrastructure,  and  has  partnered  with  indus¬ 
try  to  improve  it,”  he  says.  “Attitudes  in  the  U.S.  are  maturing  but 
aren’t  at  U.K.  levels  yet,”  he  adds,  pointing  to  a  post-9/11  shift 
within  the  United  States.  (For  example,  a  recent  U.K.  govern¬ 
ment  initiative  requires  security  personnel  to  be  licensed.  See 
“May  I  See  Your  License?”  on  Page  50.) 

Mike  O’Neill,  a  former  British  Army  major  w  ho  saw  active 
service  in  Northern  Ireland  and  the  Falklands  War  as  part  of 


PHOTO  BY  PATRICK  BARTH 


March  2005  www.csoonline.com  49 


Global  Security 


Britain's  elite  Parachute  Regiment,  and  who  is  now  head  of 
Theale-based  risk  and  security  management  consultancy  Grey- 
mans,  agrees.  “A  lot  of  British  businesses— and  especially  the 
more  London-based  businesses— have  been  through  an  unend¬ 
ing  threat  of  terrorist  action  for  a  long  time.  Business  continu¬ 
ity  and  crisis  management  has  moved  beyond  being  a  security 
issue  to  being  a  well-understood  business  resilience  issue:  Secu¬ 
rity  is  just  one  layer  of  the  onion.  Businesses  understand  that  the 
risk  [of  terrorist  incidents]  is  something  that  they  simply  must 
address— a  lesson  that  they’ve  learned  by  taking  some  hard 
knocks,”  he  says. 

Law’s  Long  Arm 

But  many  of  those  same  businesses  are  also  pushed  toward  their 
security  stances  by  regulatory  pressures.  In  particular,  a  raft  of 
European  and  British  laws,  regulations  and  accords  impose 
security  requirements  that  are  either  lacking  in  the  United 
States,  or  are  very  different  there. 

For  example,  every  British  company,  large  or  small,  has  a 
legal  duty  of  care  when  it  comes  to  information  privacy, 
enshrined  within  the  Data  Protection  Act  of  1984  and  its  1998 
successor  bill  that  stretched  a  single  (and  largely  British-inspired) 
law  of  information  privacy  across  Europe.  Among  its  stipulations, 
says  Dino  Wilkinson,  an  IT  lawyer  at  Milton  Keynes-based  law 
firm  Kimbells,  is  the  requirement  that  companies  take  “appro¬ 
priate  technical  and  organizational  measures  against  unautho¬ 
rized  or  unlawful  processing  of  personal  data  and  against 
accidental  loss  or  destruction  of  or  damage  to  personal  data.” 

Publicly  quoted  companies  must  also  comply  with  the  require¬ 


BRITISH  CSOs  ARE  COMING  TO  GRIPS  with  a  new  piece  of  legislation— the 
Private  Security  Industry  Act,  which  received  Royal  assent  in  2001.  The  act 
brought  into  being  a  new  government-backed  agency,  the  Security  Industry 
Authority  (SIA),  which  opened  its  doors  18  months  ago  and  is  now  making  its 
presence  felt. 

The  role  of  the  authority,  explains  Assistant  Director  Mary  Hennessy,  is  to 
regulate  security  companies  in  order  to  make  them  more  effective  as  well  as 

more  professional  in  some  of  their  recruitment  and  employment  practices. 

•  ■  -  ■  ■  .  •  •  • 

While  industry  has  yet  to  feel  the  full  force  of  the  authority’s  strictures,  some 

- 

of  its  requirements  are  already  being  rolled  out  across  parts  of  Britain— the 
requirement  for  security  employees  to  be  licensed,  for  example,  which 
involves  assessing  employees’  basic  competencies,  criminal  record  and  proof 
of  identity. 

Licensing  began  last  March,  and  as  of  April  it  will  be  an  offense  to  employ 
nonlicensed  door  supervisors.  By  early  2006,  every  one  of  the  nation’s 
90,000  security  guards  must  be  licensed  too.  More  SIA-inspired  changes  lie 
ahead.  -M.W. 


ments  of  the  Turnbull  Report,  a  set  of  recommendations  pub¬ 
lished  by  the  Institute  of  Chartered  Accountants  in  England 
and  Wales.  More  than  five  years  old,  these  requirements  oblige 
such  companies  to  follow  specific  recommendations  in  terms  of 
approaches  toward  risk  management  (think  a  British  version  of 
Sarbanes-Oxley).  These  recommendations  don’t  have  force  of 
law,  admittedly,  but  compliance  is  handy  if  you  want  your  audi¬ 
tors  to  sign  off  on  your  accounts,  or  to  see  your  stock  price 
quoted  by  the  London  Stock  Exchange. 

But  Turnbull,  in  common  with  much  British  regulation  and 
law,  “is  far  less  prescriptive  than  equivalent  American  legisla¬ 
tion,”  says  Peter  Howes,  an  independent  consultant  who  is 
closely  linked  with  the  British  Standards  Institution  and  who  has 
coauthored  several  of  its  compliance  guides.  The  British  regu¬ 
latory  environment,  he  says,  “tends  to  tell  you  what  to  do  but  not 
how  to  do  it.”  British  regulations  simply  say  what  must  be 
achieved;  American  rules  often  go  on  to  specify  the  means  of 
compliance.  Howes  proffers  an  example:  the  American  Securi¬ 
ties  Exchange  regulations  17A3  and  17A4,  which  govern  com¬ 
munications  between  brokers  and  their  customers.  Until  very 
recently,  these  rules  mandated  that  such  communications  must 
be  recorded  on  write-once  optical  media,  since  amended  to 
“unchangeable  media.”  The  equivalent  British  requirements, 
from  the  Financial  Services  Authority,  simply  mandate  that  they 
must  be  kept  secure  for  a  specific  (varying)  period  of  years. 

It’s  the  same  with  the  Data  Protection  Act,  adds  Wilkinson. 
“The  key  word  in  the  legislation  is  appropriate ,”  he  says.  “It’s  up 
to  the  individual  company  to  decide  what  is  appropriate,  having 
taken  into  account  all  the  relevant  circumstances.  The  act  doesn’t 
pretend  to  tell  you  what  measures  you  should  take  or  how  you 
should  comply.” 

Despite  the  wide-ranging  legislation  with  which  they 
must  comply,  British  CSOs  are  far  from  regarding  their 
regulatory'  burden  as  onerous.  Many,  such  as  John  Meakin, 
group  head  of  information  security  at  London’s  Standard 
Chartered  Bank,  which  operates  in  55  countries  around  the 
globe,  now  feel  that  the  United  States— not  the  United 
Kingdom— offers  a  tougher  regulatory  regime  for  CSOs.  At 
root,  the  cause  is  events  such  as  9/11  and  the  Enron  col¬ 
lapse,  he  says.  “In  both  cases,  the  U.S.  has  reacted  by  pass¬ 
ing  sweeping  legislation,”  he  notes.  The  result?  A  few  years 
back,  Meakin  felt  that  his  U.K.  operations  were  more  reg¬ 
ulated  than  those  in  the  United  States.  “Now,”  he  says, 
“there’s  been  a  change.” 

Metrics  Go  East 

If  security-related  legislation  is  headed  west  across  the 
Atlantic,  a  new  focus  on  the  ROI  of  security  is  headed  the 
other  way,  prompting  British  CSOs  to  press  for  metrics  to 
prove  their  worth.  “It’s  the  major  change  that  we’ve  seen 
from  our  perspective  as  a  supplier,”  says  John  Holland, 
London-based  vice  president  of  U.S. -headquartered  secu- 


“The  U.K.  has  had  a  long  time  to  consider 
what  constitutes  critical  infrastructure 
and  how  it  might  be  protected” 


-BRUCE  LARSON,  SECURITY 
DIRECTOR,  AMERICAN  WATER 


rity  vendor  Cybertrust.  “Were  getting  asked  questions  we  were 
never  asked  before.  There’s  a  real  thrust  towards  better  meas¬ 
urement,  and  better  demonstration  of  value,  in  order  to  justify 
spend  on  security.” 

It’s  a  trend  that  can  play  into  the  hands  of  smart  CSOs.  When 
Bill  Pepper,  director  of  security  risk  management  at  Computer 
Sciences  Corp.’s  (CSC)  British  headquarters  in  Aldershot,  joined 
the  company  six  years  ago,  he  used  improved  cost-effectiveness 
as  a  justification  for  pulling  together  CSC’s  previously  separately 
managed  security  strands— information  security,  physical  secu¬ 
rity  and  personnel  security— into  a  single  security  function  under 
his  own  aegis.  Although  CSC  is  an  IT  sendees  company,  Pepper’s 
responsibilities  are  internally  focused. 

“We  took  around  5  percent  off  the  cost  of  security  provision,” 
he  says.  Initial  skepticism  vanished  once  the  full  benefits  had 
been  explained,  he  reports.  “It  wasn’t  so  much  a  question  of 
resistance  being  encountered,  as  a  need  to  fully  explain  the  rea¬ 
soning,”  he  says.  “Once  the  savings  were  made  clear,  it  became 
much  more  acceptable.” 

Role  Models 

Pepper’s  broad  role  brings  us  to  questions  of  governance— titles 
and  responsibilities,  the  corporate  standing  of  the  CSO,  the 
importance  assigned  to  information  security— where  again  the 
United  States  and  the  United  Kingdom  are  separated.  Pepper 
would  probably  count  himself  as  one  of  a  small  minority  of 
British  security  executives  having  responsibilities  with  such 
breadth.  “America  is  ahead  of  Britain  in  terms  of  the  importance 
that  they  give  to  the  security  role,”  says  Paul  Simmonds,  global 
information  security  director  at  London-based  ICI,  who  spends 
a  good  deal  of  his  working  life  in  the  United  States,  managing  the 
security  affairs  of  American  subsidiaries  such  as  National  Starch. 
Convergence  of  physical  and  information  security  in  Britain  is 
still  very  rare,  he  notes.  “It  tends  to  be  happening  only  where 
there  are  very  obvious  physical  assets  to  secure,  such  as  petro¬ 
chemical  companies,”  says  Simmonds. 

What’s  more,  he  adds,  too  many  British  companies  still  think 
in  terms  of  IT  security,  not  information  security.  At  ICI,  for 
example,  Simmonds  has  been  responsible  for  changing  the  name 
of  his  function  from  “IT  security”  to  “information  security.”  “The 
computer  part  of  the  job  is  pretty  minimal;  the  trick  lies  in  being 
able  to  get  involved  at  the  business  process  level,”  he  says.  And 
another  small  niggle  is  his  own  title:  “If  I  was  working  for  an 
American  company,  I’d  be  a  CISO— but  no  one  over  here  under¬ 


stands  that  phraseology.  Yet  in  America,  the  term  director,  which 
is  my  title,  implies  middle  management,  which  can  cause  diffi¬ 
culties.”  One  possible  solution:  two  sets  of  business  cards,  one  for 
use  in  the  United  States  and  one  for  Britain. 

While  security— and  in  particular,  information  security— may 
not  be  the  same  hot  button  that  it  is  in  the  United  States,  risk, 
and  especially  the  risks  to  business  continuity  from  catastrophic 
events,  most  surely  is  seen  as  critical.  A  nation  that  had  become 
almost  inured  to  attacks  from  the  Irish  Republican  Army  has 
woken  up  to  the  fact  that  there  are  bigger  threats  than  truck 
bombs— and  that  truck  bombs  don’t  always  have  to  contain  fer¬ 
tilizer-based  explosive.  Although  fertilizer-based  bombs  are 
deadly— as  Oklahoma  City  showed— antiterrorism  intelligence 
postulates  there  may  be  even  nastier  truck  cargoes. 

The  result  seems  to  be  a  morphing  of  the  security  leadership 
role.  “It’s  starting  to  turn  into  a  broader  risk  management  role, 
and  one  which  reports  in  at  board  level,”  says  Greymans’  O’Neill. 
Steve  Hunt,  former  vice  president  on  the  IT  management  and 
services  team  at  Forrester  Research  and  a  22-year  security  vet¬ 
eran,  agrees.  It’s  actually  a  European  phenomenon,  he  says,  but 
one  that  seems  to  be  gaining  traction  fastest  in  Britain:  six  to 
eight  people  drawn  from  functions  such  as  legal,  human 
resources,  the  CFO’s  office  and  IT  forming  a  risk  management 
committee  and  meeting  as  frequently  as  once  a  week.  The  evi¬ 
dence  so  far  is  anecdotal  rather  than  statistical,  but  the  trend 
can’t  be  denied,  he  says. 

“The  remarkable  thing  is  that  it’s  often  the  head  of  informa¬ 
tion  security  who  has  launched  this  group,  who  calls  it  together 
and  often  who  presides  over  it,”  adds  Hunt,  by  now  a  firm  con¬ 
vert  to  the  notion.  “I’ve  started  recommending  this  sort  of  steer¬ 
ing  committee  be  adopted  here  in  the  U.S.  as  a  best  practice— it’s 
really  amazing  to  see  it  in  action,  taking  a  holistic  view  of  risk 
across  the  enterprise.” 

It’s  taken  the  heightened  threat  of  terrorist  action  to  prompt 
the  change,  but  British  executives  could  yet  be  a  role  model  for 
their  American  counterparts.  ■ 

Malcolm  Wheatley  is  a  freelance  writer  based  in  the  United  Kingdom.  Send  feedback 
to  Editor  Derek  Slater  at  dslater@cxo.com. 


Why  Global  Security  Policies  Fail 


Gartner  says  that  differing  legal  and  regulatory  environments  in  various  regions  and  countries 
make  implementing  global  “one  size  fits  all”  security  policies  complex.  To  read  the  report,  go  to 

www.csoonline.com/printlinks. 


March  2005  www.csoonline.com  51 


CSO  Undercover 


Doingthe  Right  Thing 


Our  Ethics  Are  Healthy,  But- 

Having  said  that,  we  are  cognizant  of  the  ever-changing 
risk  environment  in  which  we  conduct  our  global  opera¬ 
tions.  We  know  our  safeguards  aren’t  bulletproof.  The 
cost  of  implementing  those  safeguards  must  be  balanced 
against  the  likelihood  of  events.  Our  company  has  more 
than  50,000  employees.  Experience  has  shown  that  peo¬ 
ple  don’t  always  do  the  right  thing.  We  have  an  obligation 
to  protect  our  clients’  and  shareholders’  trust. 

Sometimes  I  think  about  the  pluses  of  our  ethically 
grounded  environment,  and  I  can’t  help  wondering:  What 
if  my  career  had  taken  me  to  the  failed  Bank  of  New  Eng¬ 
land,  or  the  once-mighty  Enron,  or  other  targets  of  crim¬ 
inal  investigation  and  reputational  meltdown?  I’ve  often 
wondered  what  signs  my  colleagues  at  these  organizations 
might  have  seen,  then  escalated  to  top  management  and 
been  told  not  to  worry.  What  must  it  be  like  to  be  a  CSO 
in  a  company  whose  senior  management  is  up  to  their 
eyeballs  in  fraud  and  cover-ups?  How  would  I  act?  What 
would  I  do?  We’ve  seen  the  aftermath  for  the  auditors  at 
these  places.  Would  there  even  be  a  security,  ethics  or 
compliance  organization  at  a  company 
where  pervasive  wrongdoing  was 
accepted  practice? 

So  after  I’ve  reviewed  the  Sentenc¬ 
ing  Commission’s  new  guidelines,  here 
I  am,  sitting  at  our  ethics  committee 
meeting  considering  their  implica¬ 
tions.  The  drill  here  is  to  do  a  quick 
tabletop  analysis  to  affirm  that  we  are 
on  top  of  these  issues. 

The  guidelines  now  require  compa¬ 
nies  to  periodically  assess  the  risk  of 
criminal  misconduct  and  to  take  steps 
that  address  identified  exposures.  Top 
management  and  the  board  must  be 
more  personally  knowledgeable  and 
engaged  in  making  certain  that  our 
ethics  and  compliance  programs  are 
really  effective.  The  guidelines  impose 
a  further  check  by  requiring  periodic 
evaluations  to  see  how  effective  our 
programs  are  at  preventing  and  detect¬ 
ing  violations  of  the  law.  Meaning:  We 
have  to  perform  ongoing  risk  assess¬ 
ments  because  if  we  don’t  and  something  bad  happens,  the 
court— and  shareholders— will  hold  the  board  and  top 
management  responsible. 


Devil’s  Advocate  Chat 

At  our  committee  meeting,  we  found  ourselves  in  an 
unusual  position.  We  have  become  accustomed  to  setting 
the  bar  high  when  it  comes  to  business  ethics.  We  are 


Recent  government  guidelines  spell  out  serious 
consequences  if  your  company  spots  a  risk  and  does 
nothing.  But  does  that  mean  you  should  go  looking  for 
trouble?  Yes.  By  Anonymous 


RECENTLY  FOUND  MYSELF  REVIEWING  the  revised  corporate  sen¬ 
tencing  guidelines  in  preparation  for  a  meeting  of  our  corporate  ethics  commit¬ 
tee.  This  latest  framework,  which  went  into  effect  Nov.  1,  2004,  has  two  important 
functions:  It  spells  out  the  kinds  of  ethics  policies  corporate  officers  should  estab¬ 
lish  and  enforce,  and  it  guides  judges  when  they  weigh  penalties  and  mitigating 
factors  they  may  consider  in  cases  of  corporate  wrongdoing.  The  bottom  line:  These 
guidelines  show  the  ethics  buck  stops  at  the  top,  including  our  desks. 

“Directors  and  executives  now  must 
take  an  active  leadership  role  for  the  con¬ 
tent  and  operation  of  compliance  and 
ethics  programs,”  the  U.S.  Sentencing 
Commission’s  statement  reads  in  part. 

“Companies  that  seek  reduced  criminal 
fines  now  must  demonstrate  that  they 
have  identified  areas  of  risk  where  crimi¬ 
nal  violations  may  occur,  trained  high- 
level  officials  as  well  as  employees  in 
relevant  legal  standards  and  obligations, 
and  given  their  compliance  officers  suffi¬ 
cient  authority  and  resources  to  carry  out 
their  responsibilities.” 

The  commission  notably  adds:  “If  com¬ 
panies  hope  to  mitigate  criminal  fines  and 
penalties,  they  must  also  promote  an  orga¬ 
nizational  culture  that  encourages  a  com¬ 
mitment  to  compliance  with  the  law  and 
ethical  conduct  by  exercising  due  dili¬ 
gence  in  meeting  the  criteria.” 

I  work  for  a  global  financial  institution 
that  has  a  tradition  of  “doing  the  right 
thing”  as  a  core  value  of  our  corporate  cul¬ 
ture.  As  the  CSO,  this  ethical  way  of  life  and  the  accompanying  expectations  have 
been  an  incredible  asset  to  my  group’s  ability  to  add  value.  Like  the  broken  win¬ 
dow  theory  that  has  guided  crime  reduction  efforts  in  so  many  cities,  we  deal  with 
even  minor  policy  violations— regardless  of  the  perpetrator’s  status— lest  ignoring 
them  would  invite  more  serious  transgressions.  Security  doesn’t  need  to  push  its 
way  into  investigations  of  wrongdoing;  we  are  routinely  invited  in  by  legal  coun¬ 
sel,  HR,  internal  audit  and  line-of-business  managers.  We  are  valued  as  business 
partners,  not  as  corporate  cops.  It’s  a  joy  to  be  the  CSO  here. 


52  www.csoonline.com  March  2005 


ILLUSTRATION  BY  DUNG  HOANG 


Your  S 
Never 


to  Have  Cracks. 


QSGI 


Data  Security  &  Compliance 


Sales  &  Marketing  Offices  I  3225  Neil  Armstrong  Blvd.,  Suite  600  i  Eagan,  MN  55121  USA 

tel  651  365  0202  866  303  9672  info  datasecurity@qsgi.com 

Technical  Offices  I  70  Lake  Drive  I  Hightstown,  NJ  08520  USA 

www.qsgi.com 


You  need  certainty  that  the  destruction  of  your  company’s  data  is  handled  to  the  security 
standards  which  were  intended.  Most  data  destruction  experts  recommend  the  Department  of 
Defense  standards;  however,  the  standards  can  be  somewhat  confusing  for  most  lay  people. 


Unfortunately,  too  often  only  a  1-time  overwrite  is  the  solution  chosen  by  those  who  conduct  this 
important  service  for  you.  If  your  current  erasure  process  takes  less  than  30  minutes  on  a  typical 
hard  drive,  you  are  NOT  getting  a  3-time  overwrite  and  your  data  may  be  at  risk. 

It’s  important  to  know  the  details  of  the  standard  in  order  to  fully  protect  your  company.  QSGI  can 
take  the  confusion  out  of  the  DoD  5220. 22-M  standard.  We  would  be  honored  to  assist  you  with 
any  further  technical  questions -feel  free  to  call  us! 


From  the  data  security  experts  at  QSGI,  here’s  a  simplified  explanation: 


media  must  be  sanitized  prior  to  release ”  (as  per  the  Department  of  Defense  5220.22 
specifications).  “ Items  which  have  been  ‘cleared’  must  remain  at  the  previous  level  of 
classification  and  remain  in  a  secure,  controlled  environment.  ” 


Sanitizing”  DoD  5220.22-M 


“Clearing”  DoD  5220.22-M 


l-time  overwrite 


3-time  overwrite  required 


Sanitization  is  not  complete  until  three  overwrite  passes  and  a  verification  pass  have 
been  completed.  ” 


To  be  100  percent  safe,  a  3-time  overwrite  (sanitizing)  is  your  best  method  for  ensuring 
the  security  of  your  data. 


■■  '  ■  ■  :7-'-  .  '■ 

■  -  ' 

,  .  < 


Get  the  Truth 

on  Data  Destruction. 


used  to  feeling  confident  in  our  abilities  to 
measure  that  we  are  doing  the  right  things. 
Now  we  see  this  federal  body  establishing 
requirements  with  very  serious  sanctions. 

We  began  discussing  the  business  and 
legal  risks  of  compliance  with  the  guidelines 
to  the  letter  versus  compliance  with  the 
intent.  What  if  we  do  a  very  aggressive  risk 
analysis  and  find  ugly  things  we’ve  never  seen 
before?  What  consequences  might  we  face? 

Indeed,  why  do  we  take  on  this  risky  exer¬ 
cise?  Look  at  the  oversight  environment  we 
find  ourselves  in:  Sarbanes-Oxley  reporting; 
the  USA  Patriot  Act  monitoring;  crusading 
regulators,  politicians  and  prosecutors  seek¬ 
ing  headlines;  pressure  in  corporate  America 
to  install  an  invigorated  board  with  more 
external  members,  all  of  whom  are  running 
scared  of  liability  and  not  being  aggressive 
enough;  internal  and  external  auditors  mak¬ 
ing  certain  that  every  rock  is  turned  over;  the 
development  and  application  of  monitoring 
systems  designed  to  detect  unlawful  conduct; 
employee  newsletters  and  intranet  messages 
re-advertising  our  whistle-blower  hotline. 

These  are  control-oriented  times  that  can 
dull  the  thoughtful  risk-taking  that  makes 
for  business  success. 

The  climate  in  the  meeting  room  turned 
cloudy.  We  found  ourselves  assigning  a  darker 
cast  to  the  internal  business  risks  that  have 


been  at  the  center  of  our  governance  activities. 
We  know  there  are  holes  in  our  security  prac¬ 
tices.  We  know  that  not  every  employee  and 
agent  can  be  as  ethical  as  we  would  like.  We 
know  the  velocity  of  the  business  masks  weak¬ 
nesses  in  our  internal  controls. 

In  addition,  there  are  new  risks  associated 
with  other  business  changes.  We  are  expand¬ 
ing  the  elite  group  entrusted  with  controlling- 
sensitive  operations.  We  are  moving  high-risk 
jobs  to  vendors,  including  vendors  in  countries 
we  know  don’t  share  our  standards  of  care. 
Line-of-business  managers  may  overlook  risks 
or  fail  to  alert  higher-ups  when  they  do  see 


them.  The  lights  must  shine  brighter  on  these 
vulnerabilities,  and  we  need  to  raise  the  bar  on 
risk  oversight— even  though  we  have  to  reduce 
the  cost  of  our  controls. 

The  thing  about  risk  assessments,  though, 
is  that  they  always  carry  some  risk  them¬ 
selves  of  coming  back  to  haunt  the  company 
that  failed  to  address  the  identified  issues. 
This  problem  comes  up  around  premises  lia¬ 
bility,  for  example.  If  not  carefully  thought 
through,  the  compliance  assessments,  hot¬ 
lines  and  other  documented  findings  outlined 
in  the  Sentencing  Commission’s  guidelines 
could  provide  substantial  grist  for  litigation, 
competitive  analysis  or  other  damaging 
results  by  revealing  what  you  knew  and  what 
you  didn’t  do  in  response. 

All  Together  Now 

Our  committee  reached  a  consensus.  Man¬ 
agement  would  address  any  shortcomings  we 
might  identify  in  risk  assessments.  Risk  man¬ 
agement,  security,  audit,  compliance,  ethics, 
counsel,  HR  and  line  management  would  all 
engage  in  risk  identification.  To  make  this 
work,  we  decided  to  virtually  combine  our 
security  and  corporate  ethics  committees  and 
to  maximize  information-sharing  and  follow¬ 
up  accountability  with  the  audit  committee. 
Corporate  security  has  the  assignment  of 
working  with  internal  auditors  on  a  strategy 


for  reporting  ethical  red  flags.  (I’m  now  on 
more  board  meeting  agendas,  rather  than 
preparing  information  for  the  chief  auditor. 
And  I  receive  board-inspired  suggestions  for 
proactive  risk  reviews.) 

Our  committee  felt  that  our  investigation 
protocols  already  met  the  most  stringent  con¬ 
cerns  of  legal  counsel  because  counsel  works 
with  HR  to  coordinate  all  internal  inquiries. 
We  were  satisfied  with  our  background 
investigation  policies  and  procedures.  We 
planned  to  scrub  our  existing  business  con¬ 
duct  policies  to  make  sure  compliance  stan¬ 
dards  were  at  a  sufficient  level. 


The  committee  identified  a  need  to 
develop  a  new  policy  that  top  management 
would  communicate  to  employees,  outlining 
the  rationale  for  the  revised  ethics  and  com¬ 
pliance  program,  along  with  key  personal 
accountabilities,  and  how  we  are  to  approach 
risk  analysis,  incident  reporting,  training  and 
employee  awareness.  We  didn’t  want  people 
going  off  on  their  own  on  risk  analysis,  so 
we  knew  we  would  have  to  staff  this  policy 
with  key  business  leaders. 

Training,  of  course,  needed  to  go  beyond 
the  frontline  employees.  And  while  policy  com¬ 
pliance  training  was  always  a  part  of  our  reg¬ 
ulated  environment  for  a  large  population  of 
employees,  it  became  a  requirement  for  senior 
management,  board  members  and  outside 
agents.  Our  committee  members  wondered 
how  to  approach  these  groups.  Because  the 
training  is  so  negatively  focused,  we  were  afraid 
we’d  turn  them  off.  (Can  you  hear  the  booming 
voices :  ‘Why  do  I  need  be  lectured  on  ethics?”) 
Our  answer:  ‘We  are  going  to  test-market  a 
program  with  some  senior  executives  and  a 
couple  of  board  members  we  know  are  friendly 
to  these  issues.  Then  we’ll  take  it  further  after 
tweaking  it  from  their  experience.” 

Now,  we  start  early  with  employees.  A  sen¬ 
ior  executive  addresses  all  new  employee  ori¬ 
entations  on  our  values  and  their  role  in 
maintaining  an  organization  committed  to 
ethical  conduct.  We  plan  to  upgrade  every¬ 
one’s  annual  compliance  training,  adding  spe¬ 
cific  examples  of  ethical  dilemmas  and 
answers  to  frequently  asked  questions.  We 
also  have  a  module  in  our  management  train¬ 
ing  curriculum  on  “Integrity  as  a  Cornerstone 
of  the  Business,”  delivered  by  a  representative 
of  corporate  security.  Consistent  with  another 
guideline  requirement,  all  employees,  ven¬ 
dors  and  agents  already  undergo  background 
investigations. 

One  off-the-record  question  at  our  meet¬ 
ing  was:  “What  if  we  do  nothing  in  response 
to  these  sentencing  guideline  revisions?”  As 
I  said,  this  is  a  very  ethical  organization  with 
precisely  the  culture  sought  by  the  Sentenc¬ 
ing  Commission.  At  day’s  end,  we  couldn’t 
look  each  other  in  the  eye  and  know  that 
doing  nothing  was  doing  the  right  thing.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  Send 
your  comments  via  e-mail  to  csoundercoverdcxo.com. 


54  www.csoonline.com  March  2005 


S'  security  executives  are  required  to 
difficult  and  constant  balancing  acts 
sireen  the  art  and  science  of  security, 
continuously  weighed  against  the  needs  of 
the  business.  Getting  the  “science’>  part  of  the 
equation  right  is  the  easier  part.  The  technologies 
are  known  entities,  and  better  ones  continue  to 
evolve.  There  are  quantitative  measurements 
around  such  issues  as  intrusion  detection,  foren¬ 
sics  and  regulatory  compliance,  along  with  more 
mature  attempts  to  quantify  the  ROI  of  security. 


It’s  the  “art”  of  security  that’s  the  harder  part— the 
art  of  diplomacy,  of  persuasion,  of  getting  into  and 
understanding  other  mindsets.  It’s  everything 
from  establishing  security  procedures  everyone 
will  actually  follow  to  fostering  positive  relations 
with  senior  executives  and  the  board  of  directors. 
It’s  getting  the  staff  to  think  like  a  hacker  or 
terrorist  to  get  ahead  of  potential  threats. 

Join  your  peers  from  business,  industry  and 
government  as  we  tackle  the  challenges  facing 
today’s  senior  security  executives. 


April  10-12,  2005 

Hyatt  Regency  Huntington  Beach 

Huntington  Beach,  CA 

Turn  the  page  for  more 

CSO  Perspectives  conference  details 


Sponsored  by 


Intelli  iactii  PricewaTerhouseQopers  d 


Presented  by 


The  Resource  for 
Security  Executives 


We’ll  examine  this  complex  balancing  act  by  looking  at  what  the  top 
practitioners  are  thinking  and  doing,  and  by  listening  to  what  leading 
security  and  privacy  experts  think  will  affect  the  landscape  of  the  future. 


Governance  and  Convergence: 
Getting  It  Right 

The  convergence  of  physical  and  informa¬ 
tion  security,  if  effectively  governed  within 
an  organization,  assigns  accountability  for 
security  strategy  and  business  plan  cre¬ 
ation  at  the  highest  levels.  It  can  enable 
company  leadership  to  identify,  prioritize 
and  balance  security  issues  and  needs  of 
the  business  through  a  more  comprehen¬ 
sive  approach. 

Enterprise  Risk  Management: 

A  Matter  of  Focus 

Looking  at  and  balancing  risk  on  an  enter¬ 
prise  level  is  the  only  effective  way  to  man¬ 
age  a  corporation  in  our  very  complex 
world.  Explore  how  enterprise  risk  man¬ 
agement  can  give  a  single  view  of  all  types 
of  risks,  and  an  executive-level  manage¬ 
ment  strategy  to  deal  with  them. 

Security  as  a  Business  Enabler 

Perhaps  the  hardest  part  of  security  is  to 
cost  justify  it  and  show  its  value  to  the 
business.  It’s  like  buying  an  insurance  pol¬ 
icy— no  one  really  wants  to  spend  the 
money.  What  if  you  could  prove  that  secu¬ 
rity  really  can  add  value? 

What’s  Privacy  Got  to  Do 
With  It? 

The  importance  of  balancing  privacy  and 
security  in  a  digital  age  is  only  overshad¬ 
owed  by  the  perceived  difficulty  of  actually 
doing  it.  The  current  economic,  legal,  and 
regulatory  challenges  after  9/11  have 
made  it  all  the  more  important  to  ensure 
the  adoption  of  good  laws  and  technolo¬ 
gies  that  protect  privacy  and  security  at 
the  same  time.  We  provide  a  roadmap. 

The  Cost  of  Compliance  vs. 
the  Cost  of  Non-Compliance 

Some  pundits  say  security  on  the  way  to 
becoming  a  fully-regulated  industry,  what 
with  an  increasing  number  of  officia  direc¬ 
tives  from  legislative  bodies,  regulatory 
agencies  and  industry  consortia  around 
the  world.  Toss  in  partially  overlapping 
orcompletely  diverse  requirements  from 
different  agencies  and  you’re  guaranteed 


that  compliance  will  be  that  much  more 
difficult— and  very,  very  expensive.  In  this 
session,  we  look  at  the  potential  costs  of 
compliance,  weighed  against  the  risks  of 
non-compliance.  What  can  CSOs  do  to 
understand  the  “dollars  and  sense"  of  it 
all,  and  to  prioritize  your  organization’s 
compliance  list? 

Fear  Factor:  Information  Sharing 

In  spite  of  the  number  and  variety  of 
existing  mechanisms  designed  to  enable 
real  information  sharing  among  both 
public  and  private  sector  organizations, 
many  folks  in  the  security  business  say 
they  just  don’t  work.  The  reason:  no 
one’s  really  willing  (or  able,  if  corporate 
legal  counsel  has  their  say)  to  share. 

Yet,  if  no  one  admits  to  vulnerabilities, 
everybody  suffers.  Is  there  a  way  to 
overcome  the  fear  factor  here  and 
make  information  sharing  viable? 

Strategic  Planning:  Developing 
the  Plan  That  Works  for  You 

Developing  a  sound  strategic  security 
plan  will  provide  you  with  the  means 
to  gain  management  concurrence, 
stakeholder  buy-in,  and  team  member 
direction.  How  do  you  strategically 
approach  security?  Do  you  view  it  as 
a  return  on  investment,  from  a  risk 
management  perspective,  or  by  just 
playing  upon  emotions?  This  session 
shows  how  one  organization  developed 
its  security  strategy  from  beginning  to 
end— and  the  measurements  used  to 
determine  its  success.  Knowing  the 
“how"  in  delivering  security  is  just  as 
important  as  the  “what”  you  are 
providing  to  your  organization. 

Plus  More  Peer-to-Peer 
Networking  Opportunities 

•  CSO  Golf  Tournament 

•  Moderated  Discussion  Groups 

•  Luncheon  Discussion  Roundtables 

•  DrillDown  Breakout  Sessions 

•  Networking  Receptions 

•  Sponsor  Hospitalities 


SPEAKERS 

Michael  J.  Assante,  CSO, 

American  Electric  Power 

Bob  Bragdon,  Publisher,  CSO  magazine 

Joyce  Brocaglia,  CEO,  Alta  Associates 

David  Burrill,  CSO,  British  American  Tobacco 

Roger  Cochetti,  Group  Director, 

US  Public  Policy,  CompTIA 

Bob  Hayes,  CSO,  CXO  Media  Inc./IDG  & 
Former  CSO,  Georgia-Pacific  Corporation 

Nuala  Kelly,  Chief  Privacy  Officer,  DHS 

David  Kent,  CSO,  Genzyme  Corporation 

Richard  Lefler,  Managing  Partner,  Business 
Security  Advisory  Group  and  Retired  Vice 
President  &  Director  of  Corporate  Security, 
American  Express 

Mark  S.  Lex,  Director,  Global  Security, 

Abbott  Laboratories 

Lew  McCreary,  Editor  in  Chief,  CSO  magazine 

James  McDonnell,  Chief  Security  & 
Information  Officer,  USEC  and  Former 
Director,  Protective  Security  Division 
of  the  Information  Analysis  and  Infrastructure 
Protection  Office,  DHS 

Peter  Metzger,  Partner,  Heidrick  &  Struggles 

Bhavesh  Patel,  Vice  President,  Information 
Security,  Genzyme  Corporation 

John  Pontrelli,  CSO, 

TriWest  Healthcare  Alliance 

Jeffrey  Rosen,  Professor  of  Law,  George 
Washington  University  and  Author  of  The 
Naked  Crowd  and  The  Unwanted  Gaze 

Jeff  Rosenthal,  Vice  President, 

BlessingWhite,  Inc. 

Marshall  Sanders,  Vice  President, 

Global  Security,  Level  3 

R.  E.  “Sandy”  Sandquist,  Director  Global 

Security,  General  Mills 

Krizi  Trivisani,  C/SO, 

George  Washington  University 

Ira  Winkler,  Industry  Guru  and  Author  of 
Corporate  Espionage  and  Spies  Among  Us 

Amit  Yoran,  Former  Director,  National  Cyber 
Security  Division  of  the  Information  Analysis 
and  Infrastructure  Office,  DHS 

Jonathan  Zittrain,  Conference  Moderator  and 
Cofounder,  Berkman  Center  for  Internet  & 
Society,  Harvard  Law  School 

To  register  and  for 
more  information 

call  800.366.0246  or  visit 
www.csoonline.com/conferences 


Advertising  Supplement 


Inside 


iYour 


Network 


U '  v 


m 


P 


Danger  lurks  within. 

Today’s  headlines  are  filled  with  stories  of  insid¬ 
ers  accessing  and  distributing  sensitive  company 
information.  Whether  they’re  stealing  and  selling 
customer  data  for  profit  or  accidentally  disseminat¬ 
ing  financial  information,  insiders  can  do  tremen¬ 
dous  damage  to  a  company’s  reputation  and  create 
substantial  legal  and  financial  headaches.  The  ability 
to  thoroughly  investigate  security  breaches  not  only 
makes  good  business  sense,  it’s  now  mandatory, 
driven  by  regulations  such  as  Sarbanes-Oxley  and 
HIPAA.  Following  are  four  rules  that  enable  you  to 
ensure  compliance  and  conduct  effective  security 
investigations. 


use  a  security  architecture  that  focuses  on  external 
intrusion  alarms  and  that  only  retains  access  denials, 
you  fail  to  capture  an  important  piece  of  informa¬ 
tion:  valid  accesses.  Valid  accesses  tell  you  who  suc¬ 
ceeded  in  getting  past  your  perimeter,  providing  crit¬ 
ical  data  for  investigating  security  violations, 
determining  the  extent  of  damage  and  preventing 
further  abuses.  Unfortunately,  due  to  data  overload, 
most  security  event  management  (SEM)  systems 
only  capture  and/or  store  access  denials  data.  With 
SenSage  you  can  capture  both  denials  and  valid 
accesses  for  complete  visibility. 


for  conducting 
successful 
security 
investigations 


Rule  #1:  Capture  all  activity  logs  from  all 
devices,  systems,  networks  and  applications. 

Let’s  talk  about  how  insiders  break  in,  and  more 
importantly,  how  you  can  catch  them.  All  too  often 
the  door  is  actually  wide  open.  Think  about  it  this 
way:  Insiders-employees,  consultants,  even  cus¬ 
tomers  and  partners-have  valid  IDs  and  passwords. 
Thus,  they  bypass  the  firewall  when  they  walk  in  the 
front  door,  and  defeat  authentication  systems  with 
their  valid  IDs.  Perimeter-focused  security  systems 
just  don’t  keep  insiders  from  doing  bad  things. 

Of  course,  in  most  cases,  insiders  are  accessing 
systems  for  legitimate  business  purposes.  But  if  you 


Rule  #2:  Store  all  log  data  in  one  place  and 
retain  it  for  at  least  six  months. 

With  scores  of  systems  open  to  many  users,  securi¬ 
ty  threats  can  only  be  properly  detected  and  investi¬ 
gated  by  consolidating  all  activity  logs  from  all  sys¬ 
tems  in  a  central  repository.  Without  the  ability  to 
centrally  access  data,  it’s  impossible  to  correlate 
between  security  events  across  the  diverse  systems  of 
your  information  architecture.  For  example,  say  that 
an  employee  accesses  a  customer  database,  extracts  a 
file  containing  private  data  and  then  goes  to  his 
Internet-based  e-mail  account  to  send  this  file  to  an 
external  destination.  To  reveal  this  violation,  you 
would  need  to  be  able  to  view  accesses  to  both  the 


cso 

Custom  Publishing 


Advertising  Supplement 


Just  one  investigation  into  an  unauthorized  information  access  breach  can  take  hours,  if  not 
days,  to  complete.  Many  large  companies  spend  upwards  of  $1.5  million  on  data-security 
operations  each  year.  Implementing  a  comprehensive  log  management  solution  saves  time 
and  money  by  automating  many  personnel-intensive  tasks.  Consider  the  following: 


Savings 

Security  Operations  and  Investigations  Tasks  Potential 


Detecting  incidents:  Logs  are  generated  by  many  disparate  sources  in  your 
system’s  architecture,  requiring  teams  of  people  investigating  each  piece 
of  the  puzzle.  Putting  together  a  complete  picture  with  correlations  across 
and  between  those  components  is  time-consuming  and  costly. 

Investigate  and  Resolve:  If  your  IT  team  needs  to  access  multiple  databases  50% 
and  interface  with  various  departments  to  collect  logs,  valuable  time  is  lost. 

Automatically  collecting  the  data  and  storing  it  in  a  central  repository  reduces 
the  data  collection  time  practically  to  zero,  so  you  can  immediately  proceed  to 
correlation,  analysis  and  resolution.  This  approach  also  provides  far  greater 
protection  over  the  log  data. 


Auditing:  Creating  a  verifiable  audit  trail  that  meets  regulatory  requirements 
is  nearly  impossible  without  complete  log  data.  A  centralized  repository  with 
targeted  reporting  and  query  tools  and  an  embedded  process  to  preserve  and 
document  the  chain  of  custody  can  give  a  complete,  legally  valid  record  while 
greatly  minimizing  time  spent  to  demonstrate  compliance  or  prove  culpability. 


30% 


What  you  need  to  ensure  complete 

INVESTIGATIVE  CAPABILITIES 

When  selecting  a  solution  for  managing  securi¬ 
ty  risk,  be  sure  to  verify  that  it  can: 

•  Capture  all  logs  from  your  diverse  devices, 
systems,  networks  and  applications. 

•  Store  data  in  its  complete  form  centrally  with 
online  availability  for  at  least  one  year. 

•  Set  up  an  alert  mechanism  when  it  detects 
anomalies. 

•  Provide  targeted,  pre-defined  reports  for 
quick,  high-level  review  as  well  as  custom 
and  ad-hoc  reporting. 

•  Enable  you  to  drill  down  into  the  level  of 
detail  you  need  to  protect  your  business  and 
truly  comply  with  regulatory  mandates. 

•  Ensure  redundancy  and  high  availability  of 
all  data  collection  and  storage. 

•  Retain  a  complete  chain  of  custody  of  the 
data  should  you  require  it  for  audit  or  prose¬ 
cution  purposes. 

Benefits  of  a  comprehensive  SIM 

SOLUTION  FOR  SECURITY  INVESTIGATIONS: 

Increases  visibility  and  allows  detection  of 
critical  insider  threats 

Uncovers  breaches  that  occur  over  time  and 
across  multiple  systems 
Reduces  time  needed  to  investigate  and  cor¬ 
rect  security  violations  and  personnel  cost 


customer  database  and  to  Web-based  e-mail. 

A  smart  insider  would  commit  such 
crimes  over  an  extended  period,  so  besides 
having  a  central  repository,  you  also  need 
to  store  your  security-log  data  over  long 
stretches  of  time.  In  addition,  when  you 
perform  an  investigation,  you  may  find  it 
necessary  to  look  back  many  months  to 
see,  for  instance,  what  happened  last  July 
before  a  particular  employee  was  fired.  You 
can  never  know  in  advance  what  data  will 
be  important  to  keep. 

Most  SEM  vendors  are  unable  to  cap¬ 
ture  sufficient  data  from  applications  and 
databases  because  they  cannot  store  the 
massive  volumes  of  data  generated  by  the 
disparate  components  in  a  central  database. 
Through  its  patent-pending  data  storage 
model  and  unique  compression  based  on 
flat-file  architecture,  SenSage  can  capture 
and  store  substantially  more  data  for  longer 
periods  of  time  than  other  SEM  vendors. 

Rule  #3  :  Automatically  monitor  aber¬ 
rations  daily  to  catch  violations  early  on. 

It’s  worth  repeating:  If  your  business  is 
subject  to  compliance  mandates,  effective 
security  information  management  isn’t  just 


good  business  practice:  It’s  the  law.  With  the 
right  tools,  you  can  automate  much  of  the 
monitoring  and  alerting  required.  By  using 
canned  queries  with  pre-defined  reports, 
you  can  easily  review  information  to  spot 
violations  on  a  daily  basis.  Trying  to  accom¬ 
plish  that  goal  manually  is  not  an  option: 
There’s  no  cost-effective  way  to  review  the 
massive  volumes  of  data  generated  by  your 
business.  And  during  the  time  it  would  take 
to  complete  a  thorough  and  accurate 
review,  the  impact  of  any  security  breach 
may  grow  exponentially.  SenSage  provides 
out-of-the-box  intelligence  that  enables  you 
to  quickly  spot  any  unusual  activity. 

Rule  #4  :  Investigate  quickly  and 
thoroughly  and  respond  with  corrective 
action. 

When  you  spot  an  anomaly,  the  sooner 
you  conduct  further  queries  and  correla¬ 
tions  to  identify  the  extent  of  damage  and 
contain  the  problem,  the  smaller  the 
potential  impact  on  your  business.  For 
example,  if  you  detect  that  a  former 
employee  still  has  an  active  user  ID  and 
password,  it’s  easy  to  immediately  invali¬ 
date  both.  But  if  you  can’t  immediately 
investigate  all  activity  across  your  systems 
and  applications,  you  can’t  determine 
whether  that  person  might  have  opened 
other  security  holes,  such  as  creating  other 
IDs  and  passwords  under  fictitious  names. 
In  other  words,  you  may  have  plugged  one 
leak,  but  you  haven’t  prevented  the  dam 
from  breaking. 

SenSage’s  easy-to-use  query  builder  facil¬ 
itates  rapid  search  across  log  files  from  dis¬ 
parate  components,  allowing  you  to  identify 
any  activity  attributed  to  the  rogue  ID. 

Bottom  line:  There  will  always  be  insid¬ 
ers  trying  to  violate  security  rules.  But  fol¬ 
lowing  these  few  tried-and-true  best  prac¬ 
tices  can  greatly  mitigate  the  potential 
impact  of  their  actions  to  your  enterprise,  o 


To  learn  how  your  company  can  benefit 
from  SenSage’s  comprehensive  Security 
Risk  Management  Solution,  please  visit 
us  at  www.sensage.com,  call  415-281- 
1900  or  e-mail  info@sensage.com 


Can  9  Million 
Skype  Users 
Be  Wrong? 

Skype  is  a  great  way  to  communicate.  But  CSOs 
know  that  it  also  brings  auditing  and  monitoring 
challenges.  By  Simson  Garfinkel 


Technologies^  Tools 
and  Tactics 


should 


KYPE  IS  A  HIGH-QUALITY 
encrypted  Internet  telephony  system  that 
allows  for  the  exchange  of  files,  interconnects 
with  the  public  switched  telephone  system 
and  easily  tunnels  through  firewalls.  You  may 
not  have  heard  of  Skype,  but  there  are  9  mil¬ 
lion  Skype  users,  so  chances  are  some  of  your 
employees  have.  Skype  provides  a  cheap  way 
to  communicate,  but  CSOs  should  know  that 
the  system’s  security  is  impossible  to  audit, 
and  the  vendor  refuses  to  disclose  details  on 
security  features.  If  secure  communications 
are  important  to  your  business,  read  on. 
Depending  on  your  organization,  Skype  is 
either  a  wonderful  tool  for  communication  or 


a  problem  technology  that  must  be  policed, 
controlled  and,  if  possible,  eliminated  from 
your  systems. 

Skype  was  released  last  year  by  the 
creators  of  Kazaa,  the  popular  file-trading 
system.  Like  Kazaa,  Skype  is  based  on  fire¬ 
wall-busting  peer-to-peer  technology.  When 
you  first  start  running  Skype,  it  scans  the 
Internet  looking  for  a  Skype  “supernode.” 
Supernodes  are  other  people  running  the 
Skype  program  who  aren’t  screened  by  fire¬ 
walls.  These  users  can  consequently  both 
receive  and  initiate  connections  across  the 
Net.  All  unknown  number  of  supernodes  link 
to  other  supernodes;  eventually,  the  chain 


reaches  back  to  the  Skype  servers,  wherever 
they  happen  to  be.  Supernodes  also  facili¬ 
tate  connections  back  to  Skype  users  who 
are  behind  firewalls  and  Network  Address 
Translation  boxes. 

But  despite  their  similarities,  Skype  does 
not  come  with  Kazaa’s  baggage.  Unlike 
Kazaa,  Skype  is  not  advertiser-supported  and 
does  not  come  with  adware  or  spyware. 
Instead,  Skype’s  creators  make  money  bv 
operating  the  bridge  between  the  Skype  net¬ 
work  and  the  other  telephone  networks.  With 
the  SkypeOut  service,  a  Skype  user  can  place 
calls  to  ordinary  landlines  or  cell  phones 
throughout  the  world  for  just  a  few  pennies 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


March  2005  www.csoonline.com  57 


per  minute  from  their  computers. 
Skypeln,  a  corresponding  service  that 
will  be  released  this  summer,  will  allow 
Skype  users  to  receive  phone  calls  from 
the  telephone  network. 

Every  Skype  user  has  a  unique  Skype 
user  name  and  password.  You  provide 
the  user  name  and  password  when  you 
log  in;  the  network  then  verifies  that  your 
password  matches  the  password  that  you 
provided  when  you  signed  up.  Once 
you’ve  logged  in,  you  can  initiate  a  call 
through  your  desktop  to  any  other  Skype 
user.  You  don’t  need  to  know  where  he  is; 
he  just  has  to  be  logged  in  to  Skype  some¬ 
where  on  the  Internet. 

Unlike  AOL  Instant  Messenger, 
there’s  no  problem  with  being  logged  in 
to  Skype  in  more  than  one  location.  Each 
location  will  ring  if  someone  tries  to  call 
you.  Thus,  Skype  is  a  lot  friendlier  to  peo¬ 
ple  like  me  who  work  from  multiple  com¬ 
puters.  And  while  it’s  primarily  designed 
for  voice  communications,  Skype  will  also 
let  you  send  instant  text  messages  and 
files.  Most  people  I  know  who  use  Skype 
keep  a  very  short  contact  list  of  other 
Skype  users  and  block  incoming  voice 
and  text  messages  from  everyone  else. 


Unlike  Vonage  and  other  voice-over- 
IP  systems,  Skype  is  not  based  on 
session-initiated  protocol  or  any  other 
Internet  standard.  Skype  uses  a  protocol 
that’s  both  proprietary  and  secret.  The 
company  claims  that  all  Skype  commu¬ 
nications  are  encrypted  with  a  256-bit 
advanced  encryption  standard  and  that 
keys  are  exchanged  using  the  RSA 
encryption  algorithm.  I’ve  looked  at 
Skype’s  packets,  and  I  can  verify  that  they 
are  in  fact  encrypted,  but  there’s  really  no 
way  to  know  how  secure  it  is  without  con¬ 
siderable  documentation  and  coopera¬ 
tion  from  the  company. 

These  facts  combine  to  make  Skype  an 
emerging  problem  for  many  CSOs. 


For  organizations— such  as  investment 
companies— that  are  required  by  law  to 
monitor  communications  between  their 
employees  and  their  customers,  Skype  is 
an  untappable  voice  gateway.  It’s  also 
largely  unstoppable,  because  Skype  can 
tunnel  through,  over  or  around  most 
kinds  of  firewalls.  And  for  organizations— 
such  as  hospitals— that  are  required  by 
law  to  provide  for  secure  communications 
between  employees  and  customers,  Skype 
gives  the  appearance  of  a  secure  commu¬ 
nications  channel,  but  it  might  not  pro¬ 
vide  any  security  at  all. 

On  the  other  hand,  if  neither  moni¬ 
toring  nor  secrecy  of  voice  communica¬ 
tions  is  a  legal  requirement  for  your 
organization,  another  perfectly  reason¬ 
able  approach  is  to  embrace  Skype  and  its 
peer-to-peer  voice  technology.  Skype  is 
certainly  more  secure  than  most  cell 
phones,  which  have  their  encryption  dis¬ 
abled,  or  landlines  that  don’t  have  any 
encryption  at  all.  Sure,  there  is  a  chance 
that  your  Skype  conversation  is  going 
through  another  person’s  computer,  and 
there’s  a  chance  that  they’ve  managed  to 
crack  Skype’s  algorithm  and  are  listening 
in  on  everything  you  say.  Even  though 


there  is  certainly  the  potential  for  abuse, 
in  most  cases  the  actual  chance  of  abuse 
is  small. 

Another  important  aspect  of  security  is 
availability— that  is,  making  sure  that 
systems  and  backup  systems  are  always 
available  to  serve  your  users’  needs.  And 
availability  is  where  Skype  really  shines. 
No  matter  where  you  are,  if  you  have 
some  kind  of  connectivity  to  the  Internet, 
you  can  use  Skype  to  communicate  with 
others.  This  is  a  huge  benefit  to  the 
mobile  worker,  because  you  can  just  sit 
down  in  some  cybercafe  anywhere  in  the 
world,  take  out  your  laptop,  and— 
wham!— you  are  in  direct  communica¬ 
tion.  (On  the  other  hand,  if  Skype’s 


Explosives 

Detection 

The  attacks  of  September  11  transformed  aviation 
security  in  the  United  States.  Soon  after,  a  slew  of 
security  measures  were  established,  including  a 
requirement  by  Congress  that  all  checked  baggage 
be  screened  for  explosives  by  Dec.  31,  2002. 

That  set  off  a  boom  in  the  explosives  detection 
systems  (EDS)  marketplace.  According  to  Matthew 
Farr,  industry  analyst  at  Frost  &  Sullivan’s  Aerospace 
&  Defense  Group,  the  market  surged  between  2001 
and  2002.  After  that,  the  market  cooled  off,  dropping 
to  $219  million  in  2004,  but  Farr  predicts  the  market 
will  rebound  to  $595  million  by  2009. 

Most  of  the  money  that  funds  EDS  growth  has 
come  from  the  federal  government.  (Congress  appro¬ 
priated  $1,488  billion  for  EDS-related  purchases  and 
modifications  to  terminals  through  FY04.)  The  two 
devices  used  by  the  Transportation  Security  Adminis¬ 
tration  (TSA)  to  screen  for  explosives  are  EDS  and 
ETD  (explosive  trace  detection)  machines.  As  you’ve 
likely  observed  while  idling  away  your  time  in  airport 
lines,  EDS  devices  take  up  a  large  footprint  in  termi¬ 
nals,  weighing  up  to  17,000  pounds.  The  machines, 
which  cost  more  than  $1  million,  can  scan  hundreds 
of  bags  an  hour  using  CAT-scan-like  technology. 

ETD  devices  are  used  by  TSA  to  check  carry-on 
baggage  for  explosives.  (Passengers  selected  by 
screeners  for  pat-downs  also  get  their  bags  checked.) 
Screeners  take  a  dry  pad  and  wipe  the  outside  of  an 
item.  The  pad  is  then  run  through  an  ETD  device, 
which  analyzes  the  pad  for  chemical  traces  of  explo¬ 
sives.  The  devices  are  about  the  size  of  a  computer 
printer. 

NOTHING’S  PERFECT 

Compared  to  explosives  detection  before  9/11,  when 
just  5  percent  of  checked  bags  were  screened,  the 
fact  that  100  percent  of  checked  bags  are  run  through 
EDS  machines  is  quite  an  achievement,  especially 
given  the  rapid  implementation.  But  the  technology  is 
far  from  perfect.  A  report  from  the  House  Subcommit¬ 
tee  on  Aviation  notes  that  many  common  objects  have 
similar  densities  to  explosives,  resulting  in  a  high 
number  of  false  alarms.  EDS  machines  also  can  miss 
smaller  amounts  of  explosives. 

ETD  machines  boast  high  detection  rates,  but  are 
prone  to  human  error.  A  recent  report  by  the  National 
Academy  of  Sciences  notes  the  downsides  of  “blind 
sampling”-that  is,  screeners  wiping  areas  thought  to 
be  the  most  likely  to  have  residues.  Detection  could 
fail  if  the  surface  was  cleaned  or  the  wiping  didn't 


Skype  gives  the  appearance  of  a 
secure  communications  channel,  but 
it  might  not  provide  any  security  at  all. 


: 

!i  WM  illiili 

1  •  .  - 

. 

'-T 

liliilBIll 


58  www.csoonline.com  March  2005 


DON’T  BE  THROWN 

by  the  next  CURVE  BALL 

that  comes  your  way 


Join  the  strategic  online  forum  for  today’s  top 
security  executives.. .AND  BE  PREPARED 


CSOonline.com  is  a  unique  resource  for  CSOs  and 
other  top  security  executives.  Gain  access  to  the  tools 
you  need  to  make  the  right  decisions  to  stay  ahead  of 
the  curve. 

»Talk  with  security  industry  experts  and  the 
award-winning  CSO  magazine 
editorial  team 


»Connect  with  your  peers-  CSOs 
and  other  security  leaders 

»Stay  current  on  emerging  secu¬ 
rity  issues  and  key 
challenges  you  face 

»Discuss  shared  problems  and 
viable  solutions  with  fellow 
CSOs 


cso 


»Leverage  successful  strate¬ 
gies  from  practitioners  and 
analysts 


m  *  1 *y,°u* 

■  Unit, 
f*ub»cr*«r  StffWc#j 

SSZ'"^ 

SZ'ZZ 

o„e, 


4 '  security 

n*wmplK''°  *» 


I. 

ff  Wo,  S»oon()i 

ItfK'eSSt. 


"on.! 


Additional  resources  on  CSOonline.com: 

TOPIC-FOCUSED  RESEARCH  CENTERS  provide  in-depth 
examination  of  important  security  topics  with  critical 
articles,  research,  analyst  reports,  events,  case  studies 
and  more. 


WEB-EXCLUSIVE  CONTENT  updated  daily 


OPT-IN  NEWSLETTERS  keeping  you 
up  to  date  on  leadership  trends,  career 
strategies,  and  new  technologies. 

EXTENSIVE  LIBRARY  OF  WHITE 
PAPERS  on  topics  such  as  enterprise 
security,  risk  analysis,  identity  manage¬ 
ment  and  much  more. 


1  ™«<  TO, 

,h*  * 


'r 

T“""»  ...a 

jku 


"•nut, 

{&£&*■  bw, 

I 


The  Resource  for 
Security  Executives 


creators  decide  to  pull  the  plug  on  the 
company’s  servers,  every  Skype  user  on 
the  planet  will  be  suddenly  dead  in  the 
water— unless,  of  course,  an  enterprising 
hacker  can  figure  out  how  to  patch  the 
Skype  executable  so  that  it  uses  a  differ¬ 
ent  set  of  servers  on  the  Internet.) 

Because  it’s  peer-to-peer,  you  can  use 
Skype  to  exchange  large  files  without 
worrying  about  any  server-based  restric¬ 
tions.  Although  the  protocol  doesn’t  seem 


how  much  bandwidth  you  have  for  this 
kind  of  third-party  altruism.  But  alas,  the 
algorithm  that  Skype  uses  to  determine 
how  much  of  this  relaying  it  is  allowed  to 
engage  in  is  proprietary,  so  we  can’t  know 
for  sure. 

The  other  drawback  is  that  bad  guys 
can,  of  course,  use  Skype  to  send  worms 
and  viruses.  Obviously,  the  first  thing  to 
do  is  to  block  files  transmitted  by  anyone 
you  don’t  know.  A  better  approach  would 


to  recover  gracefully  from  interrupted 
transmissions  (it  restarts  the  transfer  in 
the  middle  of  the  file),  it’s  completely  rea¬ 
sonable  to  use  Skype  to  send  100MB  files 
from  one  end  of  the  planet  to  the  other. 
Skype’s  servers  will  do  the  user  name/ 
password  authentication,  but  the  data 
packets  will  go  directly  from  one  user’s 
computer  to  the  other’s— possibly  passing 
through  a  Skype  user  or  two. 

The  fact  that  Skype’s  user  name/pass¬ 
word  combinations  are  validated  by  cen¬ 
tral  servers  gives  Skype  another  big 
advantage  over  e-mail:  authentication. 
The  vast  majority  of  e-mail  on  the  Inter¬ 
net  is  sent  without  authentication.  As  a 
result,  when  you  get  a  piece  of  e-mail, 
you  never  can  be  sure  that  the  address 
listed  on  the  message  is  where  it  was 
really  sent  from.  But  since  every  Skype 
user  is  validated  before  being  allowed  to 
join  the  network,  you  can  have  reason¬ 
able  trust  in  the  identities  that  flash 
through  the  Skype  application.  Such 
authentication  helps  build  the  business 
justification  for  Skype. 

Two  negatives  are  operating  against 
Skype.  The  first  is  the  fact  that  the  Skype 
client  running  on  your  computer  can  and 
will  relay  calls  between  other  network 
users  without  your  knowledge.  That  can 
pose  a  problem  on  networks  that  have 
only  a  little  bit  of  Internet  connectivity.  It 
makes  sense  that  Skype  would  detect 


be  to  integrate  Skype  with  your  com¬ 
puter’s  antivirus  system  so  that  all  incom¬ 
ing  files  are  automatically  scanned.  That’s 
not  currently  a  Skype  feature,  but  it 
might  be  by  the  time  you  read  this. 

Probably  the  most  important  thing 
about  Skype,  however,  is  not  the  pro¬ 
gram’s  functionality  today,  but  something 
much  deeper  about  the  whole  Skype 
process.  One  year  after  Skype  launched, 
it  had  more  than  9.5  million  users  world¬ 
wide,  with  more  than  1.5  million  con¬ 
nections  per  day  and,  on  average, 
500,000  people  connected  at  any  given 
time.  The  software  is  available  for  Win¬ 
dows,  Mac  OS  X,  Linux  and  Pocket  PC. 
The  software  has  the  capability  of  auto¬ 
matically  updating  and  upgrading  itself, 
allowing  it  to  acquire  new  features  at  any 
time— potentially  without  the  permission 
of  the  user.  The  software  uses  a  secret 
protocol;  all  communications  are  en¬ 
crypted.  And  Skype  Technologies  does 
its  engineering  in  Tallinn,  Estonia,  has 
some  business  operations  in  London  and 
registers  its  website  in  Amsterdam. 

If  I  were  going  to  write  an  information 
warfare  thriller  with  a  theme  based  on 
Invasion  of  the  Body  Snatchers,  this  is 
certainly  where  I  would  start.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  can  be  reached  via  e-mail  at 
machineshop@cxo.com. 


come  into  contact  with  the  residue.  On  the  other 
hand,  an  alarm  could  go  off  if  the  person  had  come 
into  contact  with  residue  innocently— say,  they  work 
in  the  commercial  explosives  industry  or  take  heart 
medication  containing  nitroglycerin.  False  alarms,  in 
turn,  can  make  screeners  more  susceptible  to  an  atti¬ 
tude  that  all  alarms  are  false  and  can  bog  down  the 
screening  process. 


NEW  TECHNOLOGIES 


TSA  continues  to  test  new  detection  technologies  at 
various  airports.  One  area  where  TSA  has  come  under 
criticism  for  not  moving  fast  enough  is  in  explosives 
detection  for  potential  suicide  bombers.  (Last  August, 
suicide  bombers  brought  down  two  Russian  airliners, 
killing  everyone  on  board.)  TSA  has  been  piloting 
explosives  detection 
trace  portals  called 
“puffer”  machines, 
made  by  General 
Electric  and  Smiths 
Detection.  As  a  pas¬ 
senger  walks 
through  a  machine, 
it  blows  puffs  of  air 
at  the  person.  That 
air  is  then  analyzed 
for  explosives 
molecules. 

Next-generation 
EDS  machines  are 
also  being  tested 
under  TSA’s  Phoenix 
Project  and  Manhat¬ 
tan  2  Project  pro¬ 
grams.  The  Phoenix  Project  aims  to  update  current 
EDS  machines  to  improve  detection  capabilities, 
reduce  false  alarms  and  increase  throughput.  The 
Manhattan  2  Project  is  an  attempt  to  develop  more 
advanced  next-generation  technologies. 

Major  players  in  the  explosives  detection  market¬ 
place  include  GE  Infrastructure  (a  unit  of  General 
Electric  that  acquired  a  competitor,  InVision 
Technologies,  last  year),  L-3  Communications  and 
Smiths  Detection.  “The  market’s  extremely  new, 
so  established  large  companies  have  the  biggest 
foothold,”  says  Farr.  “But  it’s  also  an  industry  that 
rewards  innovation.  If  anyone  comes  up  with  the  next 
big  thing,  someone  will  buy  it.”  - Todd  Datz 


A  TSA  employee  gets  “puffed”  by 
the  explosives  detection  portal. 


60  www.csoonline.com  March  2005 


PHOTO  BY  AP  WIDE  WORLD/JOE  GIBLIN 


It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 
programs.  Let  us  enhance  your  reprints  with 
your  company’s  logo,  address,  and  sales 
message.  Reprints  make  great  SALES  tools 
for  trade  shows,  mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will 


look  neat  on  your  wall,  it  will  look  even  better 
in  the  hands  of  your  customers. 

For  more  information  on  customized 
editorial  reprints  in  volume  quantities, 
contact  Keith  Williams  at  212.221.9595  x319 
or  email  keith@parsintl.com.  Website: 
www.magreprints.com/quickquote.asp 


CSO 

The  Resource  for 
Security  Executives 


[ 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Walter  Manninen  •  508  935-4101 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 

Regional  Sales  Director 
Kathy  Powers  •  201  634-2331 

Sales  Assistant 

Christine  Hopkins  •  508  988-7836 

Midwest 

Regional  Sales  Director 
Robert  E.  Sawdon  •  512  306-9801 

Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 

Senior  Regional  Sales  Manager 
Ai  Collins -415  975-2686 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director 

Michael  Siggins  •  508  988-6763 
Director  Mary  Gregory  •  508  988-6765 

Director  of  Content  Development 

Tom  Field 

Associate  Director  of  Content  Development 
Anne  Stuart 

Senior  Project  Manager 
Amy  Greenleaf 

Project  Managers  Dawn  Cora, 

John  Danielowich,  John  Heinrich 


Production 

VP/Manufacturing  Chris  Cuoco 
Senior  Production  Manager  Lee  Tuttle 

Senior  Production  Coordinator 

Lisa  Stevenson 

Production  Coordinator 

Stephanie  Naughton 

Executive  Programs 

Senior  VP/Executive  Programs 

Jennifer  Richards 

Conference  Management  VP 
Cynthia  Mollus 

Business  Development  Directors 
Chris  Mattoon,  John  Vulopas 

Program  Operations  Manager 

Brian  Fuce 

Senior  Client  Relations  Specialist 
Sandra  J.  Hughey 

Senior  Logistics  Coordinator 
Michael  Barbato 

Event  Planning  Director  Amy  Turell 
Event  Planner  Sarah  Yee 

Marketing 

Executive  VP/CMO 
Cathy  O’Leary  Hayes 

Senior  VP/News  and  Information 

Susan  Watson 

Publicist  Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 

Marketing  Research  Manager 

Dylan  DiGregorio 

Senior  Director,  Marketing  Communications 
Sue  Yanovitch 

Partnership/Sponsorship  Coordinator 
Lynn  Holmlund 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 

Subscription  Svcs.  Supervisor 
Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595  x319  or  e-mail 
keith@parsintl.com.  For  further  sales  infor¬ 
mation,  visit  www.csooniine.com/reprints/ 
index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208.  Periodicals  Postage  Paid  at 
Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2004  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone 
508  935-4785.  E-mail  aburreil@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center, 

27  Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  1540-904x.  Permission 
to  photocopy  does  not  extend  to  con¬ 
tributed  articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $70 
for  the  United  States  and  Canada,  $95  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9  to  the  U.S. 
and  Canada  and  $15  International.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of  Companies 
and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

31V,  Co . 34 

Academy  for  Scientific 

Investigative  Training,  The  . 34 

AirMagnet  Inc . 30 

American  Water  Works  Co.,  Inc . 46 

Applied  Optical  Technologies  Inc . 17 

BDO  Seidman  LLP  . 34 

Boeing  Co.,  The  . 46 

Boise  Cascade  LLC  . 34 

Cable  and  Wireless  PLC  . 46 

Cablevision  Systems  Corp . 30 

ChoicePoint  Inc . 26 

Citigate  Global  Intelligence 

&  Security  LLC  . 34 

Citigroup  Inc . 46 

Computer  Sciences  Corp . 46 

CyberScrub  LLC  . 30 

Cybertrust  Inc . 46 

Dell  Inc . 30 

Deloitte  &  Touche  LLP  . 17 

eBay  Inc . 26 

Enterasys  Networks  Inc . 42 

E-Trade  Financial  Corp . 30 

Fidelity  National  Financial  Inc . 34 

Forrester  Research  Inc . 46 

Frost  &  Sullivan  Ltd . 57 

General  Electric  Co . 28, 57 

Greymans  Ltd . 46 

IDG  News  Service  . 26 

Imperial  Chemical  Industries  PLC  . 46 

Insight  Research  Inc . 42 

In-Stat/MDR  . 42 

Intel  Corp . 30 

InterMute  Inc . 30 

Iomega  Corp . 30 

Iron  Mountain  Inc . 46 

Kimbells  LLP  . 46 

Kimberly-Clark  Corp . 34 

Kroll  Inc . 34 

L-3  Communications  Holdings  Inc . 57 

Lavasoft  Inc . 30 

London  Stock  Exchange  PLC  . 46 

Microsoft  Corp . 30 

National  Starch  and  Chemical  Co . 46 

Nemertes  Research  LLC  . 42 

Netgear  Inc . 30 

NetTumbler  . 30 

New  Perspectives  Consulting  Group  Inc . 17 

Nihill  &  Riedley  PC  . 34 

PestPatrol  Inc . 30 

Pfizer  Inc . 17 

PreventSys  Inc . 42 

Procter  &  Gamble  Co.,  The  . 34, 46 

Purdue  Pharma  LP  . 17 

Radian  Inc . 17 

RSA  Security  Inc . 30 

RWE  Thames  Water  . 46 

S2  Security  Corp . 42 

SACS  Consulting  & 

Investigative  Services  Inc . 34 

Secure  Environments  Inc . 28 

Skype  Technologies  S A . 57 

Smiths  Detection  . 57 

Standard  Chartered  Bank  . 46 

Standish  Group  International  Inc.,  The  . 10 

SurfControl  PLC  . 30 

Symantec  Corp . 30 

T-Mobile  USA  Inc . 17 

V  LLC  . 17 

Zone  Labs  LLC  . 30 

Advertiser  Index 

American  Dynamics  . 23 

ASIS  International  . 15 

Authenex  Inc . 25 

Bose  Corp . 63 

CDW  Corp . 2 

CXO  Media  Inc . 16,  55.  56,  59.  61 

HID  . 5 

IBM  Corp . 8 

IDG  Corp . 14 

Intellitactics  . 16a 

Information  Systems  Audit  &  Control  Assoc . 29 

Internet  Security  Systems  . 12 

Patchlink  Corp . C4 

QSGI  . 53 

RSA  Security  Inc . 27 

SafeNet  . 19 

SenSage  Inc . 56a 

Software  House  . 21 

Sophos  Pic . 7 

Sybari  Software  Inc . 11 

Symantec  Corp . C2 

Symark  Inc . C3 


62  www.csoonline.com  March  2005 


INTRODUCING  THE  BOSE@  WAVE®  MUSIC  SYSTEM 

PERFORMANCE  everyone  can  recognize. 

SIMPLICITY  everyone  can  appreciate. 

ELEGANCE  that  speaks  for  itself. 


ITS  HERITAGE  Popular  Science  called  the  original  Bose  Wave®  jCsSSBr 

radio  "a  sonic  marvel."  The  Chicago  Tribune  said  its  sound  was  A 

"superb."  And  Forbes  ASAP  magazine  placed  it  on  their  "All-Time 
A-List"  of  technology  breakthroughs  that  have  changed  the  world.  Now, 

the  award-winning  predecessor  has  been  engineered  to  a  new  standard  of  performance,  simplicity,  and  elegance 

ITS  NEW  PERFORMANCE 

•  Reproduces  one-half  octave  lower  musical  notes. 

•  Produces  even  greater  instrument  clarity  and  definition. 

•  Plays  the  newer  MP3  CDs  as  well  as  conventional  CDs  and  of  course,  FM/AM 
radio.  (MP3  CDs  can  contain  as  many  as  ten  standard  CDs  on  just  one  disc.) 

•  David  Novak,  the  Gadget  Guy,  says,  "It  can  easily  replace  whatever  component 
system  you  currently  have." 

ITS  NEW  SIMPLICITY 

•  No  buttons!  It  is  completely  and  conveniently  controlled  by  a  small,  elegant  remote  control. 

ITS  NEW  ELEGANCE 

•  The  original  model  has  been  repeatedly  praised  for  its  distinctive  design.  The  new  model  has  carried  this 
design  to  an  unprecedented  level  with  the  absence  of  all  buttons. 

•  A  thin,  slot-loaded  CD  player  replaces  the  previous  top  door  mechanism. 

NEW  BOSE  PAYMENT  PLAN  AND  A  30-DAY  EXCITEMENT  GUARANTEE.  Use  your  own 
major  credit  card  to  make  a  low  down  payment  and  1 1  convenient  monthly  payments,  with  no  interest 
charges  from  Bose.*  Our  Excitement  Guarantee  lets  you  experience  the  new  Wave®  music  system  for  30  days 
risk  free.  During  this  trial  period  please  compare,  side  by  side,  the  sound  to  that  of  larger  and  more  expensive 
sound  systems  owned  by  you  or  your  friends.  You  will  appreciate  our  request  when  you  make  this  comparison. 


FREE 

shipping  with 
your  order. 


TO  ORDER  OR  FOR  INFORMATION  CALL 

1  -800-400-341 6,  ext.  TF767 

Discover  all  our  innovative  products  at 

www.bose.com/tf767 


Better  sound  through  research  ® 


'Bose  payment  plan  available  on  orders  of  $299-31500  paid  by  major  credit  card.  Down  payment  is  1/12  the  product  price  plus  tax.  Then,  your  credit  card  will  be  billed  for  11  equal  monthly 
installments  with  0%  APR  and  no  interest  charges  from  Bose.  Credit  card  rules  and  interest  may  apply.  U.S.  residents  only.  Limit  one  active  financing  program  per  customer.  ©2004  Bose 
Corporation.  Patent  rights  issued  and/or  pending.  The  distinctive  design  is  also  a  registered  trademark  of  Bose  Corporation.  Financing  and  free  shipping  offer  not  to  be  combined  with 
other  offers  or  applied  to  previous  purchases,  and  subject  to  change  without  notice.  Risk  free  refers  to  30-day  trial  only.  Delivery  is  subject  to  product  availability.  Quotes  are  reprinted 
with  permission:  Marcelle  M.  Soviero,  Popular  Science,  12/93;  Rich  Warren,  Chicago  Tribune,  8/27/93;  ■*•<**  ASAP  (in  reference  to  the  original  Wave'  radio),  11/27/00. 


Condensed  Narrative 


How  Lori  Lee-Savage 
Got  Her  Identity  Back 


Prelude:  How  Lori  Lee-Savage  Lost  Her 
Identity  in  the  First  Place 

Best  guess:  I  pay  bills  online,  and  I  used  an 
unencrypted  wireless  modem.  I  know  I  had 
entered  my  account  number  and  check  rout¬ 
ing  number  online. 

Chapter  1:  When  She  Found  Out 

December  1st.  I  was  Christmas  shopping  on 
my  lunch  break.  My  debit  card  was  rejected 
twice.  On  my  way  back  to  work,  I  stopped  at 
the  bank.  My  balance  was  -$192. 

Chapter  2:  How  She  Reacted 

I  did  freak  out.  I  felt  violated.  I  cried.  Just  a 
few  tears. 

Chapter  3:  What  the  Bank  Told  Her 

The  manager  in  the  big  leather  chair  said,  “I 
hate  to  say  it,  but  you  look  like  the  next  vic¬ 
tim  of  identity  theft.”  Someone  had  written 

II  checks  totalling  $3,100.  The  checks  used 
my  real  routing  and  account  numbers.  They 
used  my  last  name  for  a  fake  company 
name,  Savage  and  Co.  And  they  were  signed 
with  a  fake  name,  June  Smith  of  Statesboro, 
Ga. 

Chapter  4:  Where  June  Smith  Shopped 

High-end  women's  stores.  Book  stores.  The 
checks  were  cashed  in  Columbus,  Ohio. 

Chapter  5:  The  Significance  of  Columbus 

It’s  my  hometown.  The  bank  kept  asking  me 
if  someone  there  I  know  could  have  done 
this.  I  hadn’t  been  to  Columbus  in  a  year, 
and  my  checkbook  never  leaves  my  drawer 
at  home.  I  want  to  believe  that  the  Columbus 
thing  is  a  coincidence. 


Chapter  6:  What  the  Bank  Did 

They  put  a  hold  on  my  account,  and  then 
created  a  new  account  for  me. 

Chapter  7:  What  the  Bank  Told  Lori  to 
Do 

I  had  to  put  fraud  alerts  out  to  the  Social 
Security  Administration  and  to  all  three 
credit  agencies  and  request  monthly  credit 
reports.  I  had  to  call  a  detective  and  the  FBI. 
I  had  to  request  an  account  activity  state¬ 
ment  from  the  bank.  They  unlocked  the 
account,  got  the  statement  and  began  to 
reverse  the  charges. 

Chapter  8:  What  the  Detective  Noticed 
a  Few  Days  Later 

Nine  more  checks  worth  $1,200  written 
against  the  old  account.  The  bank  forgot  to 
relock  the  account. 


Chapter  9:  What  the  Detective  Said 
About  That 

He  told  me  I  shouldn’t  worry  because  I 
wouldn’t  eat  the  cost.  But  the  retailers  eat 
the  cost,  and  that  cost  goes  back  to  the  con¬ 
sumer.  I  like  shopping.  I  don’t  want  to  pay 
higher  prices. 

Chapter  10:  Who  Let  Lori  Down 

Everyone.  The  wireless  vendor  for  not  build¬ 
ing  in  encryption.  The  retailers  for  taking  the 
fake  checks.  The  bank  for  not  even  noticing 
the  strange  account  activity,  and  then  forget¬ 
ting  to  relock  the  account.  The  authorities 
for  not  even  really  trying  to  catch  anyone. 

Chapter  11:  What  the  Investigation 
Yielded 

Nothing.  The  authorities  told  me  the  case  is 
pretty  much  closed.  And  once  my  account 
was  repaired,  the  bank  told  me  that  the 
amount  wasn’t  large  enough  for  them  to 
research  it. 

Chapter  12:  How  Lori  Lee-Savage  Got 
Her  Identity  Back 

I  mean,  I  was  cleaned  out  at  Christmastime. 
Was  I  angry?  Yes.  Did  I  cry?  Yes.  Then  I  said, 
“OK,  what  do  I  need  to  do  to  change  this?" 

So  I  bought  wireless  encryption  software. 

I’m  educating  myself,  learning  about  the 
security  structure  of  websites.  Oh,  and  I 
switched  banks. 

Afterword:  The  Moral  of  the  Story 

I  was  more  upset  by  the  system  than  I  was 
by  the  actual  act.  You  want  to  feel  that  all 
these  institutions  have  your  back;  they  don’t. 
You  want  to  think  they  can  prevent  this;  they 
can't. 

Lori  Lee-Savage  works  for  a  nonprofit 
company  in  Virginia. 


64  www.csoonline.com  March  2005 


ILLUSTRATION  BY  ALLISON  SEIFFER 


Non-compliance  can  cost  you  millions.  Symark  solutions  secure  your  UNIX/Linux  accounts  and  passwords,  and  protect 
your  ROOT  passwords  and  privileges,  while  delivering  detailed  Logs  and  Reports  for  UNIX/Linux  Audits  and  Regulatory 
Compliance,  like  SOX,  GLBA,  and  HIPAA. 

To  see  how  to  strengthen  your  UNIX/Linux  security,  get  a  FREE  copy  of  our  white  paper,  "Passing  UNIX/Linux  Audits 
and  Meeting  Regulatory  Compliance,”  visit  www.symark.com.  Or,  call  us  at  800-234-9072  to  schedule  a  live  Webex 
demonstration  and  mention  this  ad  to  receive  your  special  5-System  Starter  Pack  pricing. 


PowerKeeper 

Secure  storage  and  access  of 

ROOT  passwords 

■  Hardened  appliance-based  solution 
for  easy  deployment 

■  Passwords  are  stored  with  AES  and 
signed  with  X.509  certificates 

■  Passwords  are  accessed  using  only 
HTTPS  and  secure  authentication, 
with  optional  "Approver"  authorization 

■  Automatic  "strong"  ROOT  password 
generation  and  scheduled  resets 

■  Detailed  Reports  of  all  ROOT 
password  requests  and  releases 

■  Also  supports  Windows, 
database,  router  and  firewall 
Administrative  passwords 


PowerPassword 

User  Management  Edition 

■  Centrally  deploy,  modify,  and  delete 
UNIX/Linux  accounts 

■  Fast  and  easy  UIO/GID  synchronization 

■  Strengthen  password  composition, 
enforce  aging  and  lockouts 

■  Control  who  may  login  to/from  which 
hosts,  when,  method,  and  conditions 

■  Detailed  Reports  for  all  account  and 
login  activities 


PowerBroker 

Root  Privilege  Delegation 

■  Securely  delegate  root  and  other 
special  account  privileges  (e.g.,  oracle) 

■  Define  who  may  run  which  privileged 
UNIX/Linux  tasks,  to/from  which  hosts, 
when,  and  under  what  conditions 

■  Detailed  user  task  logging  down  to 
the  keystroke 


Not  just  secure.  Symark  secure. 


--  SYMARK 


800-234-9072  I  www.symark.com 


POWERKEEPER®  •  POWERBROKER®  •  POWERPASSWORD®  User  Management  Edition  •  EASY  TO  DEPLOY  •  GRANULAR  CONTROL  •  EXCEPTIONAL  SUPPORT 


I 


Is  your  network  sending  out  an 
open  invitation  to  be  breached? 


Inside  your  free  kit: 

■  Expert  analysis 
from  Yankee  Group 

■  Instructive 
white  paper 


Real-world 
case  studies 
and  more 


Now  you  can  exchange  your  invitation  for  a  padlock.  Just 
request  your  FREE  "Automating  Patch  Management  Kit  and 
discover  how  to  .  .  . 

■  Prevent  network  breaches  by  identifying  and  loading 
critical  patches  —  effortlessly. 

■  Eliminate  days  of  research  determining  which  patches 
are  essential  to  the  security  of  your  system  -  whether  it 
be  Windows,  Unix,  Linux  or  Macintosh  systems  and 
applications. 

■  Confidently  install  fully-tested  patches  to  avoid  conflicts 
or  system  damage  —  and  automatically  roll-back  to  a 
secure  system  when  and  if  the  need  arises. 

When  your  enterprise  network  is  vulnerable,  your  entire 
organization  is  vulnerable. 


Request  your  "Automating  Patch  Management"  Kit  now,  with  no  obligation, 
and  see  how  easily  you  can  stop  sending  out  this  dangerous  invitation. 


wiillPlSililli1 


www.Patchlink.com/cso 


Patch  Link 


The  Patch  Management  Experts 


TM 


